Suggested
See all Results
Contact Sales
Menu
Close

Liferay Security

Background Statement

Liferay is committed to producing high quality and secure products and services. The security of our products and services is very important to our customers and the wider Liferay community. We have processes in place to ensure that any security-related issues are found as soon as possible, promptly addressed, and that our customers' data is kept secure. As a technology, Liferay is a valuable tool for building digital solutions, and uses industry standard security technology to minimize the occurrences of security issues.


Liferay also recognizes the important role that independent security researchers play, and we encourage responsible reporting of vulnerabilities discovered in our products.  For more information about reporting, see our reporting and testing policy.

Liferay Security Policy

Liferay has developed the following policy that applies to reported security issues in our products and services.

Initial Report, Triage and Classification

Within 72 hours of discovering or being notified of a potential vulnerability, Liferay responds to the report and attempts to reproduce the issue using the supplied information. If the vulnerability is reproducible, a private ticket is created, if one does not already exist, and the details of the vulnerability are documented in the ticket.

Product Fixing and Patching

Security vulnerabilities are classified by Liferay into different severity levels based on the NVD metrics for calculating the Common Vulnerability Scoring System (CVSS). For more information about NVD supported CVSS standards, please refer to this page: NVD Vulnerability Metrics. We apply a risk-based approach to prioritizing security patches and vulnerability fixes. The risk is evaluated based on a security review of each vulnerability to assess exploitability, severity, and the associated risk-probability and impact.
Security vulnerabilities are classified by Liferay into different severity levels based on the NVD metrics for calculating the Common Vulnerability Scoring System (CVSS). For more information about NVD supported CVSS standards, please refer to this page: NVD Vulnerability Metrics. We apply a risk-based approach to prioritizing security patches and vulnerability fixes. The risk is evaluated based on a security review of each vulnerability to assess exploitability, severity, and the associated risk-probability and impact.
  • Severity Level 1 (SEV-1) - This includes situations where complete system access is possible, including access to the underlying system's resources, the potential for data corruption or compromise, or the ability to execute arbitrary code by an attacker. It also includes issues that do not allow complete system access, but can impact service levels and system reliability, or affect systems other than Liferay itself. This typically includes Denial-of-Service vulnerabilities and cross-site scripting and related vulnerabilities.
  • Severity Level 2 (SEV-2) - This level is used for minor vulnerabilities, including cross-site scripting, permission problems, and information leak.

Notification

We create and publish a CVE record with necessary information for every vulnerability in the product. Details of each vulnerability, any potential workarounds, and pointers to patches or other fixes will be made public via the Customer Portal and the public  Known Vulnerabilities page.

Patch Availability

Customer patch timelines are subject to customer support agreements. Timelines for community-oriented products are on a best-effort basis.