Skip to content

Reporting Security Vulnerability

The WSO2 security team welcomes contributions from our user community, developers, and security researchers to reinforce our product security. The security team at WSO2 will be more than happy to assist you in such efforts.

We strongly encourage you to report security vulnerabilities to our private security mailing list: - first, before disclosing them in any public forums. This is a private mailing list where only members of the WSO2 internal security team are subscribed to, and is treated as top priority.

If you wish to send secure messages to, you may use the following key: F0AB 72EC D77A 6162 4C48 A245 0CF3 FD36 E100 FF07

Vulnerability Information

Please use the following template in reporting vulnerabilities:

  • Vulnerable Siddhi distribution(s) and version(s)
  • Overview: High-level overview of the issue and self-assessed severity
  • Description: Include the steps to reproduce
  • Impact: Self-assessed impact
  • Solution: Any proposed solution

Vulnerability Handling

An overview of the vulnerability handling process:

  • The user reports the vulnerability privately to
  • The WSO2 security team works privately with the user to resolve the vulnerability. The initial response time will be less than one hour
  • Fix the vulnerability and QA verifies the solution
  • There will be a patch released with the identified fix.
  • There will be a new release of the component/product based on the severity of the issue identified.
  • Announce the vulnerability and share the patch publicly