-
Notifications
You must be signed in to change notification settings - Fork 755
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #20830 from praneesha/lang-issue-20829
Add the Latest Content from the Staging Website Repo
- Loading branch information
Showing
1 changed file
with
18 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,3 +1,9 @@ | ||
| --- | ||
| layout: ballerina-inner-page | ||
| title: Reporting a Security Vulnerability | ||
| permalink: /security/ | ||
| --- | ||
|
|
||
| # Security Policy | ||
|
|
||
| Ballerina project maintainers take security issues very seriously and all the vulnerability reports are treated with the highest priority and confidentiality. | ||
|
|
@@ -7,29 +13,32 @@ Ballerina project maintainers take security issues very seriously and all the vu | |
|
|
||
| ## Reporting a vulnerability | ||
|
|
||
| Ensure you are using the latest Ballerina version before you test a security issue, run an automated security scan or perform a penetration test. | ||
| Ensure you are using the latest Ballerina version before you run an automated security scan or perform a penetration test against it. | ||
|
|
||
| If you have any concerns regarding the security aspects of the source code or any other resource in this repo or have uncovered a security vulnerability, we strongly encourage you to report that to our private and highly confidential security mailing list: **[[email protected]](mailto:[email protected])** first using the below key without disclosing them in any forums, sites, or other groups - public or private. | ||
| Based on the ethics of responsible disclosure, you must only use the **[[email protected]](mailto:[email protected])** mailing list to report security vulnerabilities and any other concerns regarding the security aspects of the source code or any other resource in this repo. | ||
|
|
||
| security@ballerina.io: 0168 DA26 2989 0DB9 4ACD 8367 E683 061E 2F85 C381 [pgp.mit.edu](https://pgp.surfnet.nl/pks/lookup?op=vindex&fingerprint=on&search=0xE683061E2F85C381) | ||
| **WARNING:** To protect the end-user security, please do not use any other medium to report security vulnerabilities. Also, kindly refrain from disclosing the vulnerability details you come across with other individuals, in any forums, sites, or other groups - public or private before it’s mitigation actions and disclosure process are completed. | ||
|
|
||
| We will keep you informed of the progress towards a fix and disclosure of the vulnerability if reported issue is identified as a true positive. To protect the end-user security, these issues could be disclosed in other places only after it’s mitigation actions and disclosure process are completed. | ||
| Use the following key to send secure messages to security@ballerina.io: | ||
|
|
||
| **Warning:** Please do not create GitHub issues for security vulnerabilities. Further, kindly refrain from sharing the vulnerability details you come across with other individuals. | ||
| > security@ballerina.io: 0168 DA26 2989 0DB9 4ACD 8367 E683 061E 2F85 C381 [pgp.mit.edu](https://pgp.surfnet.nl/pks/lookup?op=vindex&fingerprint=on&search=0xE683061E2F85C381) | ||
| Also, use the following template when reporting vulnerabilities so that it contains all the required information and helps expedite the analysis and mitigation process. | ||
|
|
||
| - Vulnerable Ballerina artifacts(s) and version(s) | ||
| - Vulnerable Ballerina artifact(s) and version(s) | ||
| - Overview: High-level overview of the issue and self-assessed severity | ||
| - Description: Include the steps to reproduce | ||
| - Impact: Self-assessed impact | ||
| - Solution: Any proposed solution | ||
|
|
||
| We will keep you informed of the progress towards a fix and disclosure of the vulnerability if the reported issue is identified as a true positive. | ||
|
|
||
| ## Handling a vulnerability | ||
|
|
||
| The below is an overview of the vulnerability handling process. | ||
|
|
||
| 1. The user privately reports the vulnerability to [email protected]. (The initial response time will be less than 24 hours). | ||
| 2. The WSO2 security team works privately with the user to fix the vulnerability and QA verifies the solution. | ||
| 3. Apply the fix to the master branch and release a new version of the distribution if required. | ||
| 1. The vulnerability will be reported privately to [email protected]. (The initial response time will be less than 24 hours). | ||
| 2. The reported vulnerability gets fixed and the solution gets verified by the relevant teams at WSO2. | ||
| 3. The fix gets applied to the master branch and a new version of the distribution gets released if required. | ||
| 4. The reported user is kept updated on the progress of the process. | ||
|
|
||