WSO2 takes security issues very seriously. If you have any concerns regarding the security aspects of the source code or any other resource in this repo, or have uncovered a security vulnerability, we strongly encourage you to report that to our private and highly confidential security mailing list: security@wso2.com first, without disclosing them in any forums, sites or other groups - public or private.
We will keep you informed of the progress towards a fix and disclosure of the vulnerability, if reported issue is identified as a true positive. To protect the end-user security, these issues could be disclosed in other places only after WSO2 completes it’s mitigation actions and disclosure process.
Warning : Please do not create GitHub issues for security vulnerabilities.
WSO2 guidelines for reporting a security vulnerability page describes how to report a Security Vulnerability and includes a public key if you wish to send secure messages to security@wso2.com