Liferay Security

Background Statement

Liferay is committed to producing high quality and secure products.  The security of our products is very important to our customers and the wider Liferay community, and we have processes in place to ensure that any security-related issues are promptly addressed and that our customers' data is kept secure.  As a technology, Liferay is a valuable tool for building web sites, and uses industry standard security technology to minimize the chance of security issues. 

Liferay also recognizes the important role that independent security researchers play, and we encourage responsible reporting of vulnerabilities discovered in our products.  For more information about reporting, see the following sections.

Liferay Security Policy

Liferay has developed the following policy that applies to reported security issues in our products.

Initial Report

Liferay can receive reports of security vulnerabilities from various sources (e.g. a JIRA or LESA ticket, Social Media, external blogs, or internal discoveries). Within 72 hours of discovering or being notified of a potential vulnerability, Liferay will attempt to reproduce the issue using the supplied information. If the vulnerability is reproducible, a private ticket is created if one does not already exist (which will later be made public), the vulnerability is classified into one of the defined severity levels, and the details of the vulnerability are documented in this ticket.

Triage and Classification

Security Vulnerabilities are classified by Liferay into different severity levels based on a number of factors, the most important of which is the perceived risk to Liferay deployments.

  • Severity Level 1 (SEV-1) - The most severe level, this includes situations where complete system access is possible, including access to the underlying system's resources, the potential for data corruption or compromise, or the ability to execute arbitrary code by an attacker.
  • Severity Level 2 (SEV-2) - Issues in this level do not allow complete system access, but can impact service levels and system reliability, or affect systems other than Liferay itself.  This typically includes Denial-of-Service vulnerabilities and cross-site scripting and related vulnerabilities.

Notification

Security vulnerabilities are particularly important to all users of Liferay, including users of its Community Edition (especially those reported to Liferay from its open source community!) As a Liferay user, it is important for you to be aware of and be notified when potential vulnerabilities are discovered.

While the fixes for all security vulnerabilities are always available via the most recent Liferay source code, within 5 days of a vulnerability being fixed (during which time the fix is rigorously tested against Liferay's supported configurations), details of the vulnerability, any potential workarounds, and pointers to patches or other fixes will be made public via the Community Security Team and its Known Vulnerabilities page, and in the security advisory forum.  To be notified via email, subscribe to one or both of these channels.

Patch Availability

Fixes for issues in the form of source code and binary patches will be made available to all users through the Liferay Community Security Team.  This team actively monitors Liferay's open source code commits and uses them to create patches for the latest CE release.  Members of the team are volunteer representatives from the Liferay community with a proven security-focused track record, and the team provides a valuable service to our open source community.  If you are interested in getting involved, visit the team's page and contact the maintainers.

Reporting Security Issues

We're always appreciative when members of the security community report vulnerabilities to us.

Liferay believes in Responsible Disclosure. This means that when you are reporting new bugs related to security vulnerabilities, you give Liferay a chance to respond (evaluate, resolve) security bugs before its details are publically and fully disclosed.

To notify Liferay of a vulnerability, please send an encrypted email to security@liferay.com. Do not submit vulnerabilities on any of our Community forums, blogs comment pages or other public locations. Here is a link to download the PGP key for secure communications: Liferay Security Key (or here)

Priority will be given to encrypted reports, and please include your PGP key for replies. We also expect researchers to keep the details of the vulnerability private until a fix is released via the Community Security Team.

You may also report vulnerabilities via JIRA - be sure to follow the guidelines in the JIRA reporting page (in particular, select the Secure privacy option when creating the ticket).