Liferay Portal is community driven Free and Open Source Software project which comes without SLAs, legal commitments to fix issues (even security related ones) nor contract based response times. If you are running mission critical applications on top of Liferay Portal please consider moving to the enterprise, supported Liferay DXP instead!
That said, we take security very seriously and regularly release security advisories and patches for Liferay Portal thanks to the Community Security Team.
Getting notified of security issues
Security vulnerabilities are particularly important to all users of Liferay Portal. It is very important to be aware of and be notified when potential vulnerabilities are discovered. Therefore details of the vulnerability, any potential workarounds, and pointers to patches or other fixes will be made on Known Vulnerabilities page. The "Subscribe" (only available for signed-in users) and "RSS" links there, allow for receiving notifications via email and RSS feed respectively.
Reporting security issues
Like many other open source projects, we believe in Responsible Disclosure. This means that when you are reporting new bugs related to security vulnerabilities, you give us some time to respond (evaluate, resolve) security bugs before its details are publicly and fully disclosed. For security-related bugs, follow the reporting steps listed on the Reporting Security Issues page.