Doubling Bounties for Vulnerabilities Discovered Before Release

The best time to discover a security bug is before it’s ever released to users. Not only does that keep everybody safe, but it also makes the process of fixing the bug much simpler and faster.

The WordPress Security Team would love to see researchers focusing more of their attention on new code being introduced in beta releases, so we’re offering to double the bounty for any new vulnerability in Core that is reported after Beta 1 and before the final release candidate (RC).

For example, a bug that would be awarded $600 if it were reported after the release will instead be awarded $1,200 if it’s reported between Beta 1 and the final RC.

You can learn more about our bug bounty program by visiting our HackerOne page.

Do vulnerabilities qualify if reported after the final RC but before the release?

No, because there’s sometimes only a day or two between the final RC and the last release, and we may not receive and triage your report in time for it to prevent the vulnerability from being released.

How can I know when a beta1 is released?

We publish posts at whenever a beta or RC release is ready. To get email notifications, enter your address in the sidebar and click on theSubscribe button.

How are Beta and RC releases scheduled?

When an upcoming release is ready for initial testing, we publish a beta1 (for example, 5.1-beta1). If significant bugs are discovered, we’ll fix them and publish beta2, beta3, etc.

Once the code seems like it might be stable enough for production, we’ll publish RC1 (for example 5.1-RC1). If significant bugs are discovered, we’ll fix them and publish RC2, RC3, etc.

Once we’re confident that the code is ready for production servers, we’ll publish the final release (for example, 5.0).

How can I know how much time I’ll have before the final RC?

The timing and number of betas/RCs can vary, but there’s usually about a month between the first beta and the last RC. You can view a rough schedule for the release by visiting the Make Core blog, and following the link in the sidebar under Current Release. To give yourself the most time, we recommend that you start testing when beta1 is released.

Are bounties doubled for unreleased vulnerabilities in other software, like Gutenberg and WP-CLI?

Yes! Everything here applies to all of our software, as long as you report it between beta1 and the final RC.

Do existing vulnerabilities qualify if I report them during the beta period?

No, the intent of the bonus is to catch security bugs before they make it into a final release, so only vulnerabilities in new code qualify.