I’m excited to share some great news: the Liferay DXP Bug Bounty Program is now open to the public!

My colleague and friend Zsolt Balogh announced this recently, and I couldn’t agree more about how important this step is for our community. We’ve run a private program for a few years, but like many closed initiatives, the flow of new discoveries slowed over time. By going public, we’re opening the doors to a much larger, more diverse group of security researchers — and that’s a huge win for everyone who relies on Liferay DXP.

You can check out the program here: Liferay DXP Bug Bounty on Intigriti.

Why a Bug Bounty?

Security is never “finished.” Even with rigorous testing, secure development practices, and audits, vulnerabilities can slip through. A bug bounty program brings fresh eyes and diverse expertise to our platform — researchers who may approach the system in ways our own teams would never think of.

What makes it even better? Researchers get compensated for their work. That creates a healthy, collaborative ecosystem where everyone benefits:

• Researchers get rewarded for their skills.

• Liferay becomes more secure.

• Customers gain confidence in the robustness of the platform.

How It Works on Intigriti

The program is hosted on Intigriti, a leading bug bounty and crowdsourced security platform. If you’re new to it, here’s what the process looks like:

1. Sign up as a researcher on Intigriti. It only takes a couple of minutes.

2. Once you have an account, search for “Liferay DXP” in the public programs list.

3. From there, you can review the scope, rules, and bounty tiers.

4. When you discover a potential vulnerability, you can submit it directly through the platform.

This part wasn’t immediately obvious to me until I went through it myself — you do need that researcher account before you can interact with the program.

The structure is clear and fair:

• Severity-based rewards: Critical vulnerabilities can earn up to €2,000 .

• Fast response times: First response under 15 minutes, triage within 4 hours on average .

• Defined scope: Issues like multi-tenant vulnerabilities, RCE attempts, and new feature security are in scope .

• Safe harbour: As long as researchers follow the rules, they’re protected .

Why This Matters for Liferay Users

If you’re a Liferay customer, this means that your platform is continuously being stress-tested by skilled professionals worldwide. That’s not something that ends after a release cycle — it’s an ongoing process.

And if you’re a developer or security researcher, this is your chance to work with a widely used enterprise platform, contribute to improving open source security, and earn rewards along the way.

Kudos and Thanks

I want to thank Zsolt and his team for making this program a priority and for their tireless efforts to harden the Liferay platform. Their work ensures that every release becomes stronger and more secure, and opening this program publicly is a big milestone in that ongoing commitment.

Security is a journey, not a destination. Opening this bug bounty program to the public is another step in ensuring Liferay DXP remains a secure, trusted platform for building digital experiences.

If you’re interested, check out the details and join in:

Liferay DXP Bug Bounty on Intigriti