Liferay Portal is Liferay's Free and Open Source Software (FOSS) project which comes without SLAs, legal commitments to fix issues - even security related ones. It also does not have contract based response times.

Liferay takes security very seriously. Our InfoSec team regularly releases Security Advisories for Liferay Portal.

If you are running mission critical applications on top of Liferay Portal we highly recommend moving to Liferay's enterprise, supported platform, Liferay DXP, instead.

Getting notified of Security Issues

Security vulnerabilities are particularly important to all users of Liferay Portal. It is very important to be aware of and be notified when potential vulnerabilities are discovered. Therefore details of the vulnerability, any potential workarounds, will be made on the Known Vulnerabilities page.

This page provides two options that you can use to keep up-to-date:

  1. Subscribe provides notifications via email.
    You must be logged in to liferay.dev for this option to be available.
  2. RSS provides access to an RSS feed.

Reporting security issues

Like many open source projects, we believe in Responsible Disclosure.

What this means is that when you are reporting new bugs related to security vulnerabilities, you give us some time to respond (evaluate, resolve) security bugs before its details are publicly and fully disclosed.

For security-related bugs, follow the reporting steps listed on the Reporting Security Issues page.