By participating in this program, you agree to:

• Respect the Community Code of Conduct
• Respect the Intigriti Terms and Conditions
• Respect the scope of the program
• Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)

To ensure your research is conducted legally and ethically, you must adhere to the following rules:

1. Do No Harm: Avoid any actions that could interrupt or degrade our services, compromise user privacy, or destroy data. When conducting tests, avoid any impact on our services or systems. Do not modify any information or code. Do not automatically scan our systems. Limit all requests to a maximum of 10 requests per second.

2. Stop and Report: If you encounter any personally identifiable information (PII), confidential information, or sensitive data—including information about customers or employees—you must stop immediately and notify us. It is strictly prohibited to save, use, or disclose this information for any purpose. If you accidentally downloaded any of this data, you are required to securely delete it and report the finding right away. Similarly, if you suspect your tests have damaged any systems, report the initial steps you took and ask for permission before continuing.

3. Proof of Concept: Provide a clear and concise proof of concept (PoC) that demonstrates the vulnerability. Include the affected URL or system, a description of the vulnerability, and the steps to reproduce it. Screenshots, code snippets, and videos are highly encouraged.

4. No Public Disclosure: Do not publicly disclose any vulnerability details until we have completed our remediation efforts (make sure that during your research you do not inadvertently cause a data breach (e.g. sharing screenshots or recordings on 3rd party cloud solutions) including PoC’s on YouTube and Vimeo).

Our Commitment to You

When conducting research and reporting vulnerabilities in good faith and in compliance with this policy, we commit to:

• Safe Harbor: We will not pursue legal action against you or your team for security research activities that are conducted in good faith and strictly adhere to this policy.

• Prompt Communication: We will acknowledge your report within the below timelines, once your submission has been verified by Intigriti.

• Transparency: We will keep you informed of our progress as we work to validate and, if necessary, remediate the reported vulnerability.

• Public Recognition: For all valid, in-scope, and non-duplicate reports, we will recognize your contribution publicly on our "Hall of Fame" page unless you prefer to remain anonymous.

Validation times

We will validate all submissions within the below timelines, once your submission has been verified by Intigriti.

Program Focus

While we welcome all security reports, we are particularly interested in the following areas:

• Broken Access Control: Gaining unauthorized access to Site Administration or Instance Settings.
• Cloud Infrastructure: Security flaws in our SaaS/PaaS orchestration layers.
• API Security: Vulnerabilities in our Headless APIs and GraphQL endpoints.

Researcher Resources

To help you understand the architecture and intended security boundaries, please refer to:

• Liferay Developer Documentation
• Liferay Breaking Changes

The following assets are strictly out of scope for this VDP. Any testing or reporting on these assets will be considered a violation of this policy:

• Websites: Sites not operated by Liferay, Inc., for example https://login.liferay.com.
• Liferay Products: Liferay Portal and Liferay DXP core software, as well as any publicly available Liferay Marketplace applications owned by Liferay, Inc. These products are covered under a separate bug bounty program (https://app.intigriti.com/programs/liferay/liferaydxp/detail).
• Third-party Services: Any services, applications, or websites not owned or operated by Liferay, Inc. This includes services like social media pages, cloud providers, or other third-party vendors.
• Physical Intrusion: Any attempt to physically enter our facilities without prior authorization.
• Denial of Service (DoS): DoS, Distributed Denial of Service (DDoS) or brute force attacks.
• Social Engineering: Any form of social engineering (e.g., phishing, vishing, smishing) against our employees or users.
• Vulnerabilities with low impact or requiring user interaction: This includes, but is not limited to:
  • Missing HTTP headers (e.g., HSTS).
  • Self-XSS (Cross-Site Scripting that can only be executed by the user themselves).
  • Spam or email spoofing vulnerabilities.
  • Clickjacking on pages with no sensitive actions.
  • Descriptive error messages or stack traces.
  • Login/logout CSRF.
  • Reports from automated scanners without a manual, validated proof of concept.

General Exclusions:

• Duplicate reports: Any vulnerability already known to the company from its own internal testing or prior reports will be marked as a duplicate.
• Theoretical issues: Security concerns that lack a realistic exploit scenario, a clear attack surface, or require complex user interaction will not be accepted.
• Physical and social attacks: This includes physical intrusion, social engineering, spam, and defacement or reputation damage.
• DoS/DDoS attacks: Submissions reporting Distributed Denial-of-Service or Denial-of-Service vulnerabilities are not eligible.
• Non-eligible software: Vulnerabilities found in software that no longer receives security updates or in non-current browsers (older than three versions) are excluded.
• Access limitations: Reports relying on physical access to a device, man-in-the-middle attacks, or compromised user accounts are not accepted.
• Zero-day vulnerabilities: We accept reports for recently discovered zero-day vulnerabilities within 14 days of a public patch being released. However, as this is a Disclosure Program, no monetary reward will be issued.
• Incomplete reports: Submissions that claim software is outdated or vulnerable without a proof-of-concept will be rejected.
• Internal actions: This includes installing persistent backdoors, changing system settings, or performing delete operations.
• Non-internet facing systems: Exploits on internal company networks are not eligible.
• Unauthorized data access: Accessing personal data beyond what's needed for proof of a vulnerability is prohibited.
• Unsolicited messages: Submissions related to vulnerabilities that send bulk or unauthorized messages are not accepted.
• General complaints: The program is not intended for reporting complaints about the company's services or products.
• Email addresses and documentation: Reports of email addresses or internal documentation without a clear security impact will not be accepted.

This program follows Intigriti's triage standards based on the proof of concept.

Accepted Issues and Severity

When you submit a vulnerability report, please consider the exploitability and security impact of the bug and include a clear attack scenario. Your severity assessment is valuable to us, but we retain the right to adjust the final rating based on our internal analysis of the vulnerability's criticality.
In any instance where we modify the severity rating of a submission, we will provide a clear explanation for our decision. This gives you the opportunity to make a case for a higher priority if you believe our assessment missed a key detail. We will not accept or will re-evaluate submissions that lack a clear exploit chain.

Please be aware that our highest severity ratings are reserved for vulnerabilities with a direct and significant impact on our most critical business systems. Our network is segmented into different environments with varying levels of security and criticality. Therefore, a vulnerability like Remote Code Execution (RCE) might be classified differently depending on which network segment or asset it affects. A known RCE on a non-critical, isolated system, for example, will not receive the same rating as an RCE on our core, business-critical infrastructure.

Some examples:

Exceptional
RCE (Remote Code Execution)

Critical
Access to all customer personal data
SQL injection

High
Privilege escalation
Authentication bypass on critical infrastructure

Medium
CSRF with a significant impact

Low
CSRF with a very limited impact

Is this a bug bounty program? Are bounties offered?

No, this is a Vulnerability Disclosure Program, without bounties.

But If you find something related to our product Liferay DXP and would like to be considered for a bounty, please submit your report on our paid bug bounty program.

What is the reward for submitting a valid vulnerability?

While no monetary bounties are offered, we will provide public recognition for valid, first-time reports in our "Hall of Fame", unless you prefer to remain anonymous.

What systems or assets are "in scope" for testing?

In scope primarily includes the Websites and Web Applications listed (e.g., liferay.com, liferay.dev, learn.liferay.com, etc.), as well as Liferay security matters and other web applications owned by Liferay, Inc. that are not based on Liferay Portal or DXP software. Physical Environment vulnerabilities are also in scope, but physical testing must be non-intrusive and without explicit written consent.

What is "out of scope" and should not be tested?

Out of scope includes: Liferay Portal and Liferay DXP core software (these have a separate program), Domains not owned by Liferay, Inc., Third-party Services, Physical Intrusion without consent, Denial of Service (DoS/DDoS) or brute force attacks, Social Engineering, and low-impact vulnerabilities (e.g., self-XSS, missing HTTP headers, basic CSRF). Automated scans without a manual PoC are also excluded.

What are the rules for testing? Can I use automated tools?

You must Do No Harm: avoid interrupting services, compromising user privacy, or modifying data. Do not automatically scan our systems. Limit all requests to a maximum of X requests per second. If you find sensitive data (PII), you must stop immediately and report it.

How long will it take for my submission to be validated?

We will validate all submissions once verified by Intigriti according to the severity: 5 working days for Exceptional, Critical, and High severity; and 10 working days for Medium and Low severity.

Will I face legal action for my security research?

No, we commit to Safe Harbor. We will not pursue legal action against you or your team for security research activities that are conducted in good faith and strictly adhere to this policy.