Security policy

Thank you for taking the time to responsibly disclose any vulnerabilities you find.

Report a vulnerability

First of all, make sure that you are using the latest Ballerina version before you run an automated security scan or perform a penetration test against it. All security vulnerabilities and any other concerns related to security should be reported by sending an email to security@ballerina.io.

WARNING: To ensure end-user security, please do not use any other medium to report security vulnerabilities. Also, kindly refrain from disclosing the vulnerability details you come across with others, in any forums, sites, or other groups (public or private) before its mitigation and disclosure processes are completed.

If you would like, you can encrypt your report using the following public key to send secure messages to security@ballerina.io:

security@ballerina.io: AC48 3C56 C0A0 6020 4BBE F3E4 182F 3F21 255F CCE9

This key can also be found at keys.openpgp.org.

Also, use the following template when reporting vulnerabilities so that it contains all the required information that helps expedite the analysis and mitigation process.

  • Vulnerable Ballerina artifact(s) and version(s): list the vulnerable Ballerina artifact(s) and version(s)
  • Overview: provide a high-level overview of the issue and self-assessed severity
  • Description: include the steps to reproduce
  • Impact: state self-assessed impact
  • Solution: propose a solution if you have one

We will keep you informed of the progress towards fixing and disclosing of the vulnerability if the reported issue is identified as a true positive.

Handle a vulnerability

Here is an overview of our approach to handling vulnerabilities:

  1. The vulnerability will be reported privately to our security team at security@ballerina.io.
  2. Your email will be acknowledged within 24 hours, and you’ll receive a detailed response to your email indicating the next steps in handling your report. You will be updated on the progress.
  3. In case of a true-positive finding, the reported vulnerability will be confirmed and fixed by the relevant teams at WSO2.
  4. The fix will be applied to the affected components and a new version will be released immediately if required.
  5. The reported user is kept updated on the progress of the process.

Get acknowledged and rewarded

Your efforts in reporting vulnerabilities or any other issues related to the security of Ballerina will be recognized and honored via the WSO2 security reward and acknowledgement program.

Note: The reward program is currently applicable to vulnerabilities reported only in the compiler, runtime, CLI tooling, standard library, VS Code extension, and website.

Security advisories

The below are the Ballerina security advisories that are already published.

Compiler, runtime, and CLI tooling