X-comment from +make.wordpress.org/project: Comment on Embracing Matrix for Enhanced Communication
X-post: Create Tours for Make P2s
X-comment from +make.wordpress.org/meta: Comment on Create Tours for Make P2s
Bug bounty for WordPress 6.4 Beta
Think you found a security bug in WordPress 6.4 BetaBeta A pre-release of software that is given out to a large group of users to trial under real conditions. Beta versions have gone through alpha testing in-house and are generally fairly close in look, feel and function to the final product; however, design changes often occur as part of the process.?
The WordPress Security Team wants to find potential security issues before they land in the final WordPress release. Like last time, we’d love to see researchers focusing more of their attention on new code being introduced in beta releases, so we’re offering to double the bounty for any new vulnerability in CoreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. that is reported after Beta 1 and before the final release candidateRelease Candidate A beta version of software with the potential to be a final product, which is ready to release unless significant bugs emerge. (RCRelease Candidate A beta version of software with the potential to be a final product, which is ready to release unless significant bugs emerge.).
For example, a bug that would normally be awarded $600 would be doubled to $1200 if reported in the new code between Beta 1 and the final RC.
Release schedule for WordPress 6.4 Beta/RC releases can be found here (Beta 1 is scheduled for today). There’s usually about a month between the first beta and the last release candidate (RC).
How can I report security issues?
WordPress security team accepts security issues through our HackerOne program. The general eligibility criteria for reports is mentioned in the program policy and must be followed.
Do existing vulnerabilities qualify if I report them during the beta period?
No, the intent of the bonus is to catch security bugs before they make it into a final release, so only vulnerabilities in new code qualify.
Doubling the Bounties for WordPress 6.3 Beta
WordPress 6.3 BetaBeta A pre-release of software that is given out to a large group of users to trial under real conditions. Beta versions have gone through alpha testing in-house and are generally fairly close in look, feel and function to the final product; however, design changes often occur as part of the process. 1 will be released later today, June 28th. As with the previous release cycles, this time too we’re focused on finding new security issues before they make it to the final release.
WordPress security team is inviting security researchers to find security bugs in WordPress 6.3. We will double the bounties for any new vulnerabilities reported in the new code for WordPress. The submission window will open today with the release of Beta 1 and close before the final release candidateRelease Candidate A beta version of software with the potential to be a final product, which is ready to release unless significant bugs emerge. (RCRelease Candidate A beta version of software with the potential to be a final product, which is ready to release unless significant bugs emerge.) is out.
We post here whenever a beta or RC release is ready: https://wordpress.org/news/.
Release schedule for WordPress 6.3 beta/RC releases can be found here.
How can I report security issues?
WordPress security team accepts security issues through our HackerOne program, which can be found here. The general eligibility criteria for reports is mentioned in the program policy and must be followed.
Do existing vulnerabilities qualify if I report them during the beta period?
No, the intent of the bonus is to catch security bugs before they make it into a final release, so only vulnerabilities in new code qualify.
We have more info in this previous announcement.
Dropping security updates for WordPress versions 3.7 through 4.0
The WordPress Security Team will cease providing updates for WordPress versions 3.7 – 4.0 in three months time, as of December 1, 2022.
Officially WordPress only provides support for the latest version of the software. The Security team historically has a practice of backporting security fixes as a courtesy to sites on older versions in the expectation the sites will be automatically updated.
Until now, these courtesy backports have included all versions of WordPress supporting automatic updates. Versions WordPress 3.7 – 4.0 have reached levels of usage, namely less than 1% of total installs, where the benefit of providing these updates is outweighed by the effort involved.
Background
Sites running WordPress 3.7 – 4.0 form a very low percentage of total WordPress installations. Conversely, backporting security updates to older versions of WordPress takes a substantial amount of time; this effect compounds with each new major version released.
The effect of this imbalance means that the Security team spends most of the time preparing backports for the vast minority of WordPress installations. By dropping support for these older versions, the newer versions of WordPress will become more secure as more time can be focused on their needs.
The decision on which versions to drop support for was based on the percentage of sites reported on the statistics page.
Process
An out of date version of WordPress, in this case versions 4.0.* and older, will display a non-dismissible notice in the dashboard informing users an update is available. In the final updates for these WordPress versions, these notices will be made more prominent and inform the administrator their version of WordPress is no longer receiving security updates.

An additional string will be added to the code base to allow for the future dropping of security support.
These strings will be committed to trunk and backported to each of the earlier versions prior to the release date. This will allow the Polyglot teams to translate them and for the strings to begin appearing in translation packages. Don’t panic: not all of the versions of WordPress containing these strings will be affected any time soon.
X-post: Contributor Teams: Submit WCUS 2022 Table Leads Signup Form by July 29
X-comment from +make.wordpress.org/community: Comment on Contributor Teams: Submit WCUS 2022 Table Leads Signup Form by July 29
X-post: Announcement: Incident Response Training
X-comment from +make.wordpress.org/updates: Comment on Announcement: Incident Response Training
WordPress 5.8 Beta & Double the Bounties
WordPress 5.8 BetaBeta A pre-release of software that is given out to a large group of users to trial under real conditions. Beta versions have gone through alpha testing in-house and are generally fairly close in look, feel and function to the final product; however, design changes often occur as part of the process. 1 was released last week. It’s the upcoming major update and we’d love our security researcher friends to take a look at it, see if you can find any vulnerabilities in the new code.
WordPress 5.8 will contain new features and optimizations. For example, the new blockBlock Block is the abstract term used to describe units of markup that, composed together, form the content or layout of a webpage using the WordPress editor. The idea combines concepts of what in the past may have achieved with shortcodes, custom HTML, and embed discovery into a single consistent API and user experience. based Widgets Editor; it’s an upgrade to the widgetWidget A WordPress Widget is a small block that performs a specific function. You can add these widgets in sidebars also known as widget-ready areas on your web page. WordPress widgets were originally created to provide a simple and easy-to-use way of giving design and structure control of the WordPress theme to the user. areas provided by WordPress through themes and a complete replacement for the widgets admin screen.
As a reminder, we double the bounty for all our covered software, provided you’re able to find issues in new code before the final release candidateRelease Candidate A beta version of software with the potential to be a final product, which is ready to release unless significant bugs emerge. (RCRelease Candidate A beta version of software with the potential to be a final product, which is ready to release unless significant bugs emerge.) is out. For example, a $600 bounty would be doubled to $1200, flat.
Things normally start from beta1 – that’s currently the case for WordPress 5.8 Beta 1.
You can take a look at the release schedule for 5.8 beta/RC releases here.
Potential issues can be submitted here.
Happy bug hunting!
X-post: Experiment: A Public Channel for All Team Reps
X-comment from +make.wordpress.org/updates: Comment on Experiment: A Public Channel for All Team Reps
Doubling Bounties for Vulnerabilities Discovered Before Release
The best time to discover a security bug is before it’s ever released to users. Not only does that keep everybody safe, but it also makes the process of fixing the bug much simpler and faster.
The WordPress Security Team would love to see researchers focusing more of their attention on new code being introduced in betaBeta A pre-release of software that is given out to a large group of users to trial under real conditions. Beta versions have gone through alpha testing in-house and are generally fairly close in look, feel and function to the final product; however, design changes often occur as part of the process. releases, so we’re offering to double the bounty for any new vulnerability in CoreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. that is reported after Beta 1 and before the final release candidateRelease Candidate A beta version of software with the potential to be a final product, which is ready to release unless significant bugs emerge. (RCRelease Candidate A beta version of software with the potential to be a final product, which is ready to release unless significant bugs emerge.).
For example, a bug that would be awarded $600 if it were reported after the release will instead be awarded $1,200 if it’s reported between Beta 1 and the final RC.
You can learn more about our bug bounty program by visiting our HackerOne page.
Do vulnerabilities qualify if reported after the final RC but before the release?
No, because there’s sometimes only a day or two between the final RC and the last release, and we may not receive and triage your report in time for it to prevent the vulnerability from being released.
How can I know when a beta1 is released?
We publish posts at w.org/news whenever a beta or RC release is ready. To get email notifications, enter your address in the sidebarSidebar A sidebar in WordPress is referred to a widget-ready area used by WordPress themes to display information that is not a part of the main content. It is not always a vertical column on the side. It can be a horizontal rectangle below or above the content area, footer, header, or any where in the theme. and click on theSubscribe
button.
How are Beta and RC releases scheduled?
When an upcoming release is ready for initial testing, we publish a beta1
(for example, 5.1-beta1). If significant bugs are discovered, we’ll fix them and publish beta2
, beta3
, etc.
Once the code seems like it might be stable enough for production, we’ll publish RC1
(for example 5.1-RC1). If significant bugs are discovered, we’ll fix them and publish RC2
, RC3
, etc.
Once we’re confident that the code is ready for production servers, we’ll publish the final release (for example, 5.0).
How can I know how much time I’ll have before the final RC?
The timing and number of betas/RCs can vary, but there’s usually about a month between the first beta and the last RC. You can view a rough schedule for the release by visiting the Make Core blog, and following the link in the sidebar under Current Release
. To give yourself the most time, we recommend that you start testing when beta1
is released.
Are bounties doubled for unreleased vulnerabilities in other software, like GutenbergGutenberg The Gutenberg project is the new Editor Interface for WordPress. The editor improves the process and experience of creating new content, making writing rich content much simpler. It uses ‘blocks’ to add richness rather than shortcodes, custom HTML etc. https://wordpress.org/gutenberg/ and WP-CLIWP-CLI WP-CLI is the Command Line Interface for WordPress, used to do administrative and development tasks in a programmatic way. The project page is http://wp-cli.org/ https://make.wordpress.org/cli/?
Yes! Everything here applies to all of our software, as long as you report it between beta1
and the final RC.
Do existing vulnerabilities qualify if I report them during the beta period?
No, the intent of the bonus is to catch security bugs before they make it into a final release, so only vulnerabilities in new code qualify.