Doubling Bounties for Vulnerabilities Discovered Before Release

The best time to discover a security bug is before it’s ever released to users. Not only does that keep everybody safe, but it also makes the process of fixing the bug much simpler and faster.

The WordPress Security Team would love to see researchers focusing more of their attention on new code being introduced in betaBeta A pre-release of software that is given out to a large group of users to trial under real conditions. Beta versions have gone through alpha testing in-house and are generally fairly close in look, feel and function to the final product; however, design changes often occur as part of the process. releases, so we’re offering to double the bounty for any new vulnerability in CoreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. that is reported after Beta 1 and before the final release candidateRelease Candidate A beta version of software with the potential to be a final product, which is ready to release unless significant bugs emerge. (RCRelease Candidate A beta version of software with the potential to be a final product, which is ready to release unless significant bugs emerge.).

For example, a bug that would be awarded $600 if it were reported after the release will instead be awarded $1,200 if it’s reported between Beta 1 and the final RC.

You can learn more about our bug bounty program by visiting our HackerOne page.

Do vulnerabilities qualify if reported after the final RC but before the release?

No, because there’s sometimes only a day or two between the final RC and the last release, and we may not receive and triage your report in time for it to prevent the vulnerability from being released.

How can I know when a beta1 is released?

We publish posts at whenever a beta or RC release is ready. To get email notifications, enter your address in the sidebarSidebar A sidebar in WordPress is referred to a widget-ready area used by WordPress themes to display information that is not a part of the main content. It is not always a vertical column on the side. It can be a horizontal rectangle below or above the content area, footer, header, or any where in the theme. and click on theSubscribe button.

How are Beta and RC releases scheduled?

When an upcoming release is ready for initial testing, we publish a beta1 (for example, 5.1-beta1). If significant bugs are discovered, we’ll fix them and publish beta2, beta3, etc.

Once the code seems like it might be stable enough for production, we’ll publish RC1 (for example 5.1-RC1). If significant bugs are discovered, we’ll fix them and publish RC2, RC3, etc.

Once we’re confident that the code is ready for production servers, we’ll publish the final release (for example, 5.0).

How can I know how much time I’ll have before the final RC?

The timing and number of betas/RCs can vary, but there’s usually about a month between the first beta and the last RC. You can view a rough schedule for the release by visiting the Make Core blog, and following the link in the sidebar under Current Release. To give yourself the most time, we recommend that you start testing when beta1 is released.

Are bounties doubled for unreleased vulnerabilities in other software, like GutenbergGutenberg The Gutenberg project is the new Editor Interface for WordPress. The editor improves the process and experience of creating new content, making writing rich content much simpler. It uses ‘blocks’ to add richness rather than shortcodes, custom HTML etc. and WP-CLIWP-CLI WP-CLI is the Command Line Interface for WordPress, used to do administrative and development tasks in a programmatic way. The project page is

Yes! Everything here applies to all of our software, as long as you report it between beta1 and the final RC.

Do existing vulnerabilities qualify if I report them during the beta period?

No, the intent of the bonus is to catch security bugs before they make it into a final release, so only vulnerabilities in new code qualify.