Liferay takes security very seriously. Liferay has established several procedures to make sure that Liferay DXP is as secure as possible. First of all, Liferay DXP is an open source product. As such, Liferay encourages security-minded community members to verify the product they’re using. All Liferay users benefit when even a few don’t blindly trust the provider! Please read Liferay security statement for more information.
Although we act on community reports, we understands that community reports alone are not enough. Liferay’s internal security team also works on improving security. Liferay’s internal security team conducts internal security reviews. They check Liferay’s source code for common vulnerabilities that can be accidentally introduced by developers. Additionally, all Liferay DXP security related code is reviewed by Liferay’s application security team before it’s committed. For every major portal release, Liferay works with external security partners to perform security scans and penetration testing.
Because the security cycle never ends, the internal application security team gathers reports from Liferay customers and the Liferay community. The team also monitors other channels (Twitter, the full disclosure mailing list, the liferay.com forums, etc.) to catch every security issue as soon as possible. Once fixed, Liferay’s Support, Release, and other teams work on backporting and releasing security patches for all supported versions.