Reporting and Testing Policy

Liferay recognizes the important role that the Liferay community and independent security researchers play, and we encourage responsible reporting of vulnerabilities discovered in our products.

Liferay believes in Responsible Disclosure. This means that when you are reporting new bugs related to security vulnerabilities, you give Liferay a chance to respond (evaluate, resolve) to security bugs before its details are publicly and fully disclosed.

Please be aware that vulnerabilities within an application may take longer to resolve than what you may be used to. Except in the case of a critical vulnerability, an application vulnerability will most likely be included in the next regular release of the application.

Submission

Liferay now operates a Public Bug Bounty Program on the Intigriti platform. We are performing assessments via the platform and rewarding true positive findings with monetary bounties.

Please read the full program details, scope, and rules at Liferay DXP - Bug Bounty Program - Intigriti and submit your report through the Intigriti platform.

Why a Bug Bounty?

Security is never "finished." Even with rigorous testing, secure development practices, and audits, vulnerabilities can slip through. A bug bounty program brings fresh eyes and diverse expertise to our platform—researchers who may approach the system in ways our own teams would never think of.

What makes it even better? Researchers get compensated for their work. That creates a healthy, collaborative ecosystem where everyone benefits:

  • Researchers get rewarded for their skills.
  • Liferay becomes more secure.
  • Customers gain confidence in the robustness of the platform.

How It Works on Intigriti

The program is hosted on Intigriti, a leading bug bounty and crowdsourced security platform. If you're new to it, here's what the process looks like:

  1. Sign up as a researcher on Intigriti. It only takes a couple of minutes.
  2. Once you have an account, search for “Liferay DXP” in the public programs list.
  3. From there, you can review the scope, rules, and bounty tiers.
  4. When you discover a potential vulnerability, you can submit it directly through the platform.

The structure is clear and fair:

  • Severity-based rewards
  • Fast response times
  • Defined scope
  • Safe Harbour

General Submission Guidelines

Please do not submit vulnerabilities on any public channel, including but not limited to, Discuss, Blogs, Liferay Community Slack, or social media.

Please attach all images and videos supporting your report directly to your submission on the Intigriti platform. Do not use third-party sites to host the files.

If the vulnerability involves unauthorized access to data on a Website, please provide all IP addresses you used for testing.

Reward

We recognize and reward true positive security submissions through monetary bounties paid via the Intigriti platform.

Disclosure Process

  1. Liferay will acknowledge the report and attempt to reproduce the issue using the supplied information, following the response timelines defined in the Intigriti program.
  2. Liferay will fix and (if applicable) release patches for affected applications.
  3. Liferay will notify the reporter that the vulnerability has been fixed.
  4. If appropriate, Liferay will assign a CVE ID to the vulnerability. Unless specifically requested by a reporter to do so earlier, the CVE ID will be assigned just prior to publication of the advisory.
  5. An advisory will be published on the known vulnerabilities page.

Want to learn more?

Details on Scope, Safe Harbour, FAQs and other important information are available on Intigriti.