By participating in this program, you agree to:

• Respect the Community Code of Conduct
• Respect the Intigriti Terms and Conditions
• Respect the scope of the program
• Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)

Validation times

We will validate all submissions within the below timelines, once your submission has been verified by Intigriti.
Submissions validated outside of this may be awarded a $25 bonus.

This remains at the discretion of Liferay to award.

Check our fix
We offer up to $50 bonus to verify a resolved issue for us (when requested).
This remains at the discretion of Liferay to award.

We are particularly interested in:

• Vulnerabilities related to users in a non-default virtual instance accessing data in a second virtual instance.

  A non-default virtual instance is any virtual instance created after the initial one that's set up during the Liferay DXP installation. While Liferay's core code is a single application, virtual instances allow you to host multiple, independent portals or websites that are isolated from each other at the data and configuration level.

  Core Concepts:

  • Default Instance: This is the first and primary instance created automatically upon installation. It serves as the main entry point from which you can create and manage other instances. It is typically accessed via localhost.
  • Non-Default Instances: All other instances are manually created to host additional portals. Each of these must be accessed via its own unique domain name.

  We offer up to $250 bonus for these vulnerabilities!

• Remote code execution (RCE); especially circumvention of security controls in templates and workflow.

• New features in Liferay DXP 2025.Q3, 2025.Q1.

Source code
Source code for Liferay Portal (Liferay Portal and Liferay DXP share a common codebase) is available to help you find vulnerabilities in Liferay DXP. The source code can be downloaded from the Liferay Portal project on GitHub.

Important Information:

• Only the latest version is in scope. Please verify your report in the latest version.
• Only the Liferay DXP application itself is in scope. The Docker image is provided for convenience. Any issues rooted with the Docker image and is not rooted in the application itself may not be eligible for a bounty. If you do not want to use the Docker image or you want to use a different application server, please refer to the documentation.
• Please consider the user role used during testing and if a particular action makes sense for that role. For example: Omni-administrators (i.e., users with the Administrator role in the default instance) have complete access to the application and the underlying server, including, but not limited to, the ability to access all data, execute arbitrary code in the scripting console, execute OS commands via Gogo shell, add add arbitrary HTML and Javascript into a page. These actions are not considered a vulnerability. On the other hand, a regular authenticated user who can perform these actions is a vulnerability.
• HTTPS is not enabled by default in the Docker image. If you want to test with HTTPS enabled, you will need to configure SSL/TLS. If you are using a different application server, please refer that that application server's documentation.

Feedback
Would you like to help us improve our program or have some feedback to share, please send your anonymous feedback here. Please note this form will be checked periodically and should not be used for submission or support queries.

Domains

• Any domain that is not listed in the Domains section, is out of scope for this program. In particular:
  • Liferay DXP 7.4 and earlier
  • Liferay Portal 7.4 and earlier
  • Liferay DXP 7.3 and earlier
  • Liferay Portal 7.3 and earlier
  • Liferay DXP 7.2 and earlier
  • Liferay Portal 7.2 and earlier
  • Nightly/test/GA/RC builds of Liferay Portal/DXP
  • Non latest Liferay DXP quarterly releases

Application

• API key disclosure without proven business impact
• Anything related to email spoofing, SPF, DMARC or DKIM
• Arbitrary file upload without proven business impact
• Banner grabbing/Version disclosure
• Best practices violations (password complexity, expiration, re-use, etc.)
• Blind SSRF without proven business impact (DNS pingback only is not sufficient)
• Circumventing Liferay DXP licensing
• Clickjacking on pages with no sensitive actions
• Content injection without a convincing proof-of-concept.
• CORS misconfiguration on non-sensitive endpoints
• Cross-domain referrer leakage
• Cross-site Request Forgery with no or low impact
• CSV Injection in a CSV file opened by an out of scope domain
• Disclosed and/or misconfigured Google API key (including maps)
• Disclosing API keys without proven impact
• DNS rebinding
• Email address aliasing (using plus(+) and dot(.) characters)
• Email bombing
• Homograph attacks
• Host header injection without proven business impact
• Hyperlink injection/takeovers
• HSTS settings
• HTTP Request smuggling without any proven impact
• Insecure (HTTP) connection to DXP
• Insufficient password hashing workload
• Missing cookie flags
• Missing CSP
• Missing security headers
• Mixed content type issues
• Not stripping metadata of images
• Open ports without an accompanying proof-of-concept demonstrating vulnerability
• Pre-Auth Account takeover/OAuth squatting
• Presence of autocomplete attribute on web forms
• Rate-limits bypass or the non-existence of rate-limits.
• Reverse tabnabbing
• Same-site scripting
• Self-XSS that can't be used to exploit other users
• Sessions not being invalidated (logout, enabling 2FA, etc.)
• Software or a library that is out of date/vulnerable without a proof-of-concept
• Subdomain takeover without taken over the subdomain
• Username enumeration
• Verbose messages/files/directory listings without disclosing any sensitive information
• _vti_inf.html disclosure when the server is not running FrontPage.
• Weak SSL configurations and SSL/TLS scan reports
• XMLRPC enabled

General

• In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate
• Issues that are the result of an insecure default setting may be lowered in severity
• Issues identified in the source code without a proof-of-concept
• Issues that are only exposed after enabling a feature flag
• Issues that are only exploitable after changing a configuration that is intended to decrease security (e.g., XXE is exploitable after disabling XXE protection)
• Vulnerabilities that are limited to application servers, databases, OS, browsers and/or JDK that are not listed on the compatibility matrix
• For Liferay DXP, the Docker image is provided for convenience. Any issues rooted with the Docker image that are not rooted in the application itself may not be eligible for a bounty.
• Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, may be excluded or be lowered in severity
• Attacks requiring physical access to a victim’s computer/device, access to the operating system, or compromised user accounts
• Spam, social engineering and physical intrusion
• DoS/DDoS attacks or brute force attacks
• Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty
• This bug bounty program is intended for external security researchers. Liferay employees, Liferay customers, and Liferay partners are required to report all issues and vulnerabilities through the established Liferay Internal Support processes. Submissions from these groups via the bug bounty program will not be considered.

This program follows Intigriti's triage standards based on the proof of concept with the following exception:

• XSS vulnerabilities can have a max severity of medium

How do we run Liferay DXP?

• Docker image: (Detailed instructions)
  1. docker pull liferay/[image]
  2. docker run -it -m 8g -p 8080:8080 liferay/[image]
  3. Open your browser to http://localhost:8080

Where can we get credentials for Liferay DXP?

• The application will prompt you to choose a password the first time you run the application.
  • Email address: test@liferay.com
  • Password: test

Where can we get a license key for Liferay DXP?

License key is not needed for Liferay DXP as the Docker images are pre-installed with a license key.

• Note: The license key pre-installed on Docker images expires three months after the image was created. Please verify you are using the latest Liferay DXP version as the latest Liferay DXP Docker image will always have a pre-installed and valid license.

How can we quickly populate the application with sample data?

1. Open the Application Menu
2. Click on the "Control Panel" tab and click "Sites"
3. Click on the plus icon to add a new site
4. Choose one of the templates to create a new site

How do we get help using Liferay DXP?

In addition to the documentation, the Liferay community is available on Slack. However, please be aware of the following:

• Slack is for the general Liferay community and is not specific to this bug bounty program
• You can freely discuss and ask questions about how to use Liferay DXP, but please do not discuss this bug bounty program or any specific vulnerability.