Liferay takes security very seriously. Liferay has established several procedures to make sure that Liferay Portal is as secure as possible. First of all, Liferay Portal is an open source product. As such, Liferay encourages security-minded community members to verify the product they’re using. All Liferay users benefit when even a few don’t blindly trust the provider! Please read Liferay security statement at https://liferay.com/security for more information.
Next, Liferay forms a Community Security Team. This team addresses community security concerns, helps with security related questions on the Liferay forums, and releases security patches for Liferay Portal versions. Members of the Liferay community security team attend Liferay conferences and engage in other individual activities.
If you have time, please visit our community Hall of Fame for security reporters: https://dev.liferay.com/web/community-security-team/hall-of-fame. These community members helped us and invested their time to report security issues. With their help, we make Liferay Portal better for the community and customers.
Although we act on community reports, we understands that community reports alone are not enough. Liferay’s internal security team also works on improving security. Liferay’s internal security team conducts internal security reviews. They check Liferay’s source code for common vulnerabilities that can be accidentally introduced by developers. Additionally, all Liferay Portal security related code is reviewed by Liferay’s application security team before it’s committed. For every major portal release, Liferay works with external security partners to perform security scans and penetration testing.
Because the security cycle never ends, the internal application security team gathers reports from Liferay customers and the Liferay community. The team also monitors other channels (Twitter, the full disclosure mailing list, the liferay.com forums, etc.) to catch every security issue as soon as possible. Once fixed, Liferay’s Support, Release, and other teams work on backporting and releasing security patches for all supported versions.