Liferay is committed to producing software products that are enterprise-grade with respect to security as well as quality and features. We understand that it is essential for our enterprise customers to keep their IT stack free of security vulnerabilities.

Ideally, security issues will be reported with steps to reproduce in a clean product instance. Issues which arise on a security scan can also be reported. Please share the entire report when disclosing security issues to Subscription Services. Security issues discovered through an automated scan deemed by Subscription Services to be false positives or unexploitable will be handled on a case-by-case basis.

Within 72 hours of discovering or being notified of a potential vulnerability, Liferay will attempt to reproduce the issue using the supplied information. If the vulnerability is reproducible and if a ticket does not already exist for the vulnerability, then a private (non-public) ticket will be created. The ticket will be classified into one of the pre-defined severity levels and the details of the vulnerability will be documented in the ticket.

For more information regarding our security policy and known vulnerabilities please see our Security Vulnerabilities page.