diff --git a/SECURITY.md b/SECURITY.md index 3cdd26d5f9fb..af9267f4c48b 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,3 +1,9 @@ +--- +layout: ballerina-inner-page +title: Reporting a Security Vulnerability +permalink: /security/ +--- + # Security Policy Ballerina project maintainers take security issues very seriously and all the vulnerability reports are treated with the highest priority and confidentiality. @@ -7,29 +13,32 @@ Ballerina project maintainers take security issues very seriously and all the vu ## Reporting a vulnerability -Ensure you are using the latest Ballerina version before you test a security issue, run an automated security scan or perform a penetration test. +Ensure you are using the latest Ballerina version before you run an automated security scan or perform a penetration test against it. -If you have any concerns regarding the security aspects of the source code or any other resource in this repo or have uncovered a security vulnerability, we strongly encourage you to report that to our private and highly confidential security mailing list: **[security@ballerina.io](mailto:security@ballerina.io)** first using the below key without disclosing them in any forums, sites, or other groups - public or private. +Based on the ethics of responsible disclosure, you must only use the **[security@ballerina.io](mailto:security@ballerina.io)** mailing list to report security vulnerabilities and any other concerns regarding the security aspects of the source code or any other resource in this repo. -security@ballerina.io: 0168 DA26 2989 0DB9 4ACD 8367 E683 061E 2F85 C381 [pgp.mit.edu](https://pgp.surfnet.nl/pks/lookup?op=vindex&fingerprint=on&search=0xE683061E2F85C381) +**WARNING:** To protect the end-user security, please do not use any other medium to report security vulnerabilities. Also, kindly refrain from disclosing the vulnerability details you come across with other individuals, in any forums, sites, or other groups - public or private before it’s mitigation actions and disclosure process are completed. -We will keep you informed of the progress towards a fix and disclosure of the vulnerability if reported issue is identified as a true positive. To protect the end-user security, these issues could be disclosed in other places only after it’s mitigation actions and disclosure process are completed. +Use the following key to send secure messages to security@ballerina.io: -**Warning:** Please do not create GitHub issues for security vulnerabilities. Further, kindly refrain from sharing the vulnerability details you come across with other individuals. +> security@ballerina.io: 0168 DA26 2989 0DB9 4ACD 8367 E683 061E 2F85 C381 [pgp.mit.edu](https://pgp.surfnet.nl/pks/lookup?op=vindex&fingerprint=on&search=0xE683061E2F85C381) Also, use the following template when reporting vulnerabilities so that it contains all the required information and helps expedite the analysis and mitigation process. -- Vulnerable Ballerina artifacts(s) and version(s) +- Vulnerable Ballerina artifact(s) and version(s) - Overview: High-level overview of the issue and self-assessed severity - Description: Include the steps to reproduce - Impact: Self-assessed impact - Solution: Any proposed solution +We will keep you informed of the progress towards a fix and disclosure of the vulnerability if the reported issue is identified as a true positive. + ## Handling a vulnerability The below is an overview of the vulnerability handling process. -1. The user privately reports the vulnerability to security@ballerina.io. (The initial response time will be less than 24 hours). -2. The WSO2 security team works privately with the user to fix the vulnerability and QA verifies the solution. -3. Apply the fix to the master branch and release a new version of the distribution if required. +1. The vulnerability will be reported privately to security@ballerina.io. (The initial response time will be less than 24 hours). +2. The reported vulnerability gets fixed and the solution gets verified by the relevant teams at WSO2. +3. The fix gets applied to the master branch and a new version of the distribution gets released if required. 4. The reported user is kept updated on the progress of the process. +