Hello Researchers,
We are reaching out to share an update regarding our program priorities and the current bounty structure for Liferay DXP Virtual Instances.
What is Changing?
Effective immediately, vulnerabilities specifically targeting Virtual Instances (cross-instance data access or configuration leaks between non-default and default instances) are no longer considered a top priority for our security team.
As a result, we are discontinuing the (up to) $250 bonus previously offered for these specific types of findings.
Why the Change?
While Virtual Instances provide helpful isolation for certain use cases, this feature is no longer considered a critical functionality within the Liferay DXP ecosystem. To ensure our Bug Bounty program remains focused on the most vital components of our architecture, we are shifting our rewards toward core features that represent the highest impact for our users.
Impact on Submissions
- New Submissions: Any reports submitted from this point forward regarding virtual instances will be assessed based on their standard technical impact without the additional bonus.
- Current Open Submissions: If you have an active, open submission related to virtual instances, it will be processed under the previous rules and remains eligible for up to $250 bonus.
Thank you for the already provided high-quality findings in this area! Your contributions have been instrumental in hardening the isolation between instances.
The Liferay Security Team
Hello Security Researchers,
We are pleased to announce the release of Liferay DXP 2025.Q4. We encourage you to update your testing efforts to this latest version.
Please be aware of the following important updates regarding submissions effecting Liferay DXP 2025.Q3.
New Submissions:
- Liferay DXP 2025.Q3 is out of scope.
- Effective immediately, we will no longer accept new submissions that exclusively affect the Liferay DXP 2025.Q3 version.
Handling of existing, open submissions:
- If you have an existing, open submission that targets the Liferay DXP 2025.Q3 version, please do not worry about refusal due to the new quarterly release.
- These submissions will be evaluated based on the version they were originally submitted against. If the finding is valid (meets all other program policy requirements), it will be accepted and processed as usual.
Thank you for your continued valuable work in helping us secure our product!
The Liferay Security Team
Hello Security Researchers,
Thank you to the entire community for the incredible response to our Public Liferay DXP Bug Bounty program launch. We are delighted with the volume of high-quality reports received.
To ensure we can effectively handle the current backlog and maintain our commitment to timely triage, we are temporarily pausing the acceptance of new submissions.
We will continue to process all existing reports according to our policy. We appreciate your patience and look forward to reopening the program soon.
Keep an eye on this page for an update on when submissions will resume.
Thank you for making this launch a huge success!
The Liferay Security Team