Details

Public
Suspended
Software

Liferay/Liferay DXP/Detail

/programs/liferay/liferaydxp/detail /programs/liferay/liferaydxp/updates /programs/liferay/liferaydxp/leaderboard?alltime=true

Description Liferay is a provider of B2B enterprise open source technologies that empowers businesses around the world to solve complex digital challenges. Over a thousand organizations in financial services, insurance, manufacturing, healthcare and government use Liferay worldwide. Our goal is to help companies reach their full potential to serve others, and we try to leave a positive mark on the world through our business and technology.
Bounties

Low 0.1 - 3.9

Medium 4.0 - 6.9

High 7.0 - 8.9

Critical 9.0 - 9.4

Exceptional 9.5 - 10.0

Tier 2

100

250

1,000

2,000

Tier 2

$100 - $2,000

Rules of engagement @intigriti.me Not applicable

User agent Not applicable

Automated tooling Not applicable

Request header Not applicable

https://go.intigriti.com/researcher-rules-of-engagement

By participating in this program, you agree to:

Respect the [https://go.intigriti.com/coc](Community Code of Conduct)
Respect the Intigriti [https://go.intigriti.com/tac](Terms and Conditions)
Respect the scope of the program
Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)

Validation times

We do our best to validate all submissions within the below timelines, once your submission has been verified by Intigriti.

Vulnerability Severity | Time to validate |

Exceptional | 5 Working days |

Critical | 5 Working days |

High | 5 Working days |

Medium | 10 Working days |

Low | 10 Working days |

This remains at the discretion of Liferay to award.

Check our fix We offer up to $50 bonus to verify a resolved issue for us (when requested). This remains at the discretion of Liferay to award.

Safe harbour for researchers is applied Show safe harbour

View changes
Assets
tier
All

type

Expand all

Liferay DXP 2026.Q1

Other
Tier 2

Liferay DXP 2025.Q1

Other
Tier 2

Liferay DXP 2024.Q1

Other
Tier 2

View changes

In scope
We are particularly interested in:
Remote code execution (RCE); especially circumvention of security controls in templates and workflow.
New features in Liferay DXP https://support.liferay.com/e/release-notes/release-highlights/20004/25617866?r=25617866, https://support.liferay.com/e/release-notes/release-highlights/20004/25734713?r=25734713.

Source code Source code for Liferay Portal (Liferay Portal and Liferay DXP share a common codebase) is available to help you find vulnerabilities in Liferay DXP. The source code can be downloaded from the Liferay Portal project on https://github.com/liferay/liferay-portal/releases/tag/7.4.3.132-ga132.

Important Information:

Only the latest version is in scope. Please verify your report in the latest version.
Identical Vulnerabilities Across Multiple Versions/Assets are considered Duplicates:
All listed versions—DXP 2025.Q4.x, DXP 2025.Q1.x-lts, and DXP 2024.Q1.x—are considered equally in scope and important for our security efforts. However, since all Liferay DXP versions share a common codebase, only the first reported submission of a unique underlying vulnerability will be considered valid and eligible for a bounty.
We do not award separate bounties for subsequent reports of the same logical vulnerability, regardless of which in-scope version(s) are affected. Once a vulnerability is validated in any single version, our internal team confirms its presence in other applicable in-scope versions. A single internal fix ticket is then created to address the flaw across all supported, affected versions simultaneously.
Subsequent submissions reporting the same flaw will be closed as Duplicate.
Only the Liferay DXP application itself is in scope. The Docker image is provided for convenience. Any issues rooted with the Docker image and is not rooted in the application itself may not be eligible for a bounty. If you do not want to use the Docker image or you want to use a different application server, please refer to the https://learn.liferay.com/w/dxp/installation-and-upgrades/installing-liferay/installing-liferay-on-an-application-server.
Please consider the user https://learn.liferay.com/web/guest/w/dxp/users-and-permissions/roles-and-permissions/understanding-roles-and-permissions used during testing and if a particular action makes sense for that role. For example: Omni-administrators (i.e., users with the Administrator role in the default instance) have complete access to the application and the underlying server, including, but not limited to, the ability to access all data, execute arbitrary code in the scripting console, execute OS commands via Gogo shell, add add arbitrary HTML and Javascript into a page. These actions are not considered a vulnerability. On the other hand, a regular authenticated user who can perform these actions is a vulnerability.
HTTPS is not enabled by default in the Docker image. If you want to test with HTTPS enabled, you will need to configure SSL/TLS. If you are using a different application server, please refer that that application server's documentation.

Feedback Would you like to help us improve our program or have some feedback to share, please send your anonymous [https://go.intigriti.com/program-feedback](feedback here). Please note this form will be checked periodically and should not be used for submission or support queries.

View changes
Out of scope

Domains

Any domain that is not listed in the Domains section, is out of scope for this program. In particular:
Liferay DXP 7.4 and earlier
Liferay Portal 7.4 and earlier
Liferay DXP 7.3 and earlier
Liferay Portal 7.3 and earlier
Liferay DXP 7.2 and earlier
Liferay Portal 7.2 and earlier
Nightly/test/GA/RC builds of Liferay Portal/DXP
Non latest Liferay DXP quarterly releases

Application

API key disclosure without proven business impact
Anything related to email spoofing, SPF, DMARC or DKIM
Arbitrary file upload without proven business impact
Banner grabbing/Version disclosure
Best practices violations (password complexity, expiration, re-use, etc.)
Blind SSRF without proven business impact (DNS pingback only is not sufficient)
Circumventing Liferay DXP licensing
Clickjacking on pages with no sensitive actions
Content injection without a convincing proof-of-concept.
CORS misconfiguration on non-sensitive endpoints
Cross-domain referrer leakage
Cross-site Request Forgery with no or low impact
CSV Injection in a CSV file opened by an out of scope domain
Disclosed and/or misconfigured Google API key (including maps)
Disclosing API keys without proven impact
DNS rebinding
Email address aliasing (using plus(+) and dot(.) characters)
Email bombing
Homograph attacks
Host header injection without proven business impact
Hyperlink injection/takeovers
HSTS settings
HTTP Request smuggling without any proven impact
Insecure (HTTP) connection to DXP
Insufficient password hashing workload
Missing cookie flags
Missing CSP
Missing security headers
Mixed content type issues
Not stripping metadata of images
Open ports without an accompanying proof-of-concept demonstrating vulnerability
Pre-Auth Account takeover/OAuth squatting
Presence of autocomplete attribute on web forms
Rate-limits bypass or the non-existence of rate-limits.
Reverse tabnabbing
Same-site scripting
Self-XSS that can't be used to exploit other users
Sessions not being invalidated (logout, enabling 2FA, etc.)
Software or a library that is out of date/vulnerable without a proof-of-concept
Subdomain takeover without taken over the subdomain
Username enumeration
Verbose messages/files/directory listings without disclosing any sensitive information
_vti_inf.html disclosure when the server is not running FrontPage.
Weak SSL configurations and SSL/TLS scan reports
XMLRPC enabled

General

In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate
Identical Vulnerabilities Across Multiple Versions/Assets are considered Duplicates:
All listed versions—DXP 2025.Q3.x, DXP 2025.Q1.x-lts, and DXP 2024.Q1.x—are considered equally in scope and important for our security efforts. However, since all Liferay DXP versions share a common codebase, only the first reported submission of a unique underlying vulnerability will be considered valid and eligible for a bounty.
We do not award separate bounties for subsequent reports of the same logical vulnerability, regardless of which in-scope version(s) are affected. Once a vulnerability is validated in any single version, our internal team confirms its presence in other applicable in-scope versions. A single internal fix ticket is then created to address the flaw across all supported, affected versions simultaneously.
Subsequent submissions reporting the same flaw will be closed as Duplicate.
Issues that are the result of an insecure default setting may be lowered in severity
Issues identified in the source code without a proof-of-concept
Issues that are only exposed after enabling a [https://learn.liferay.com/en/w/dxp/system-administration/configuring-liferay/feature-flags](feature flag)
Issues that are only exploitable after changing a configuration that is intended to decrease security (e.g., XXE is exploitable after disabling XXE protection)
Vulnerabilities that are limited to application servers, databases, OS, browsers and/or JDK that are not listed on the [https://www.liferay.com/compatibility-matrix](compatibility matrix)
For Liferay DXP, the Docker image is provided for convenience. Any issues rooted with the Docker image that are not rooted in the application itself may not be eligible for a bounty.
Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, may be excluded or be lowered in severity
Attacks requiring physical access to a victim’s computer/device, access to the operating system, or compromised user accounts
Spam, social engineering and physical intrusion
DoS/DDoS attacks or brute force attacks
Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty
This bug bounty program is intended for external security researchers. Liferay employees, Liferay customers, and Liferay partners are required to report all issues and vulnerabilities through the established Liferay Internal Support processes. Submissions from these groups via the bug bounty program will not be considered.
View changes
Severity assessment
This program follows Intigriti's [https://go.intigriti.com/triage-standards](triage standards) based on the proof of concept with the following exception:
XSS vulnerabilities can have a max severity of medium
FAQ

How do we run Liferay DXP?

Docker image: ([https://learn.liferay.com/w/dxp/getting-started/starting-with-a-docker-image](Detailed instructions))
docker pull liferay/[image]
docker run -it -m 8g -p 8080:8080 liferay/[image]
Open your browser to http://localhost:8080

Where can we get credentials for Liferay DXP?

The application will prompt you to choose a password the first time you run the application.
Email address: [email protected]
Password: test

Where can we get a license key for Liferay DXP?

License key is not needed for Liferay DXP as the Docker images are pre-installed with a license key.

Note: The license key pre-installed on Docker images expires three months after the image was created. Please verify you are using the latest Liferay DXP version as the latest Liferay DXP Docker image will always have a pre-installed and valid license.

How can we quickly populate the application with sample data?

Open the Application Menu
Click on the "Control Panel" tab and click "Sites"
Click on the plus icon to add a new site
Choose one of the templates to create a new site

How do we get help using Liferay DXP?

In addition to the https://learn.liferay.com/w/dxp/index, the Liferay community is available on https://join.slack.com/t/liferay-community/shared_invite/zt-1uv9fe139-fF5hhvG71QK~BKEeyBUftw. However, please be aware of the following:

Slack is for the general Liferay community and is not specific to this bug bounty program
You can freely discuss and ask questions about how to use Liferay DXP, but please do not discuss this bug bounty program or any specific vulnerability.

All aboard!

Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

[/auth/dashboard?redirect=/programs/liferay/liferaydxp](Log in or sign up)