Liferay Security

Background Statement

Liferay is committed to producing high quality and secure products. The security of our products is very important to our customers and the wider Liferay community, and we have processes in place to ensure that any security-related issues are promptly addressed and that our customers' data is kept secure. As a technology, Liferay is a valuable tool for building web sites, and uses industry standard security technology to minimize the chance of security issues.

Liferay also recognizes the important role that independent security researchers play, and we encourage responsible reporting of vulnerabilities discovered in our products.  For more information about reporting, see our reporting and testing policy.

Liferay Security Policy

Liferay has developed the following policy that applies to reported security issues in our products.

Initial Report

Liferay can receive reports of security vulnerabilities from various sources (e.g. JIRA tickets, social media, external blogs, and internal discoveries). Within 72 hours of discovering or being notified of a potential vulnerability, Liferay will attempt to reproduce the issue using the supplied information. If the vulnerability is reproducible, a private ticket is created if one does not already exist, the vulnerability is classified into one of the defined severity levels, and the details of the vulnerability are documented in this ticket.

Triage and Classification

Security vulnerabilities are classified by Liferay into different severity levels based on a number of factors, the most important of which is the perceived risk to Liferay deployments.
  • Severity Level 1 (SEV-1) - This includes situations where complete system access is possible, including access to the underlying system's resources, the potential for data corruption or compromise, or the ability to execute arbitrary code by an attacker. It also includes issues that do not allow complete system access, but can impact service levels and system reliability, or affect systems other than Liferay itself. This typically includes Denial-of-Service vulnerabilities and cross-site scripting and related vulnerabilities.
  • Severity Level 2 (SEV-2) - This level is used for minor vulnerabilities, including cross-site scripting, permission problems, and information leak.

Notification

Security vulnerabilities are classified by Liferay into different severity levels based on a number of factors, the most important of which is the perceived risk to Liferay deployments.

Details of the vulnerability, any potential workarounds, and pointers to patches or other fixes will be made public via the Community Security Team and its Known Vulnerabilities page.

Patch Availability

Fixes for issues in the form of source code and/or binary patches will be made available to all users through the Liferay Community Security Team.  This team actively monitors Liferay's open source code commits and uses them to create patches for the latest CE release.  Members of the team are volunteer representatives from the Liferay community with a proven security-focused track record, and the team provides a valuable service to our open source community.