Doubling the Bounties for WordPress 6.3 Beta

WordPress 6.3 BetaBeta A pre-release of software that is given out to a large group of users to trial under real conditions. Beta versions have gone through alpha testing in-house and are generally fairly close in look, feel and function to the final product; however, design changes often occur as part of the process. 1 will be released later today, June 28th. As with the previous release cycles, this time too we’re focused on finding new security issues before they make it to the final release.

WordPress security team is inviting security researchers to find security bugs in WordPress 6.3. We will double the bounties for any new vulnerabilities reported in the new code for WordPress. The submission window will open today with the release of Beta 1 and close before the final release candidateRelease Candidate A beta version of software with the potential to be a final product, which is ready to release unless significant bugs emerge. (RCRelease Candidate A beta version of software with the potential to be a final product, which is ready to release unless significant bugs emerge.) is out.

We post here whenever a beta or RC release is ready: https://wordpress.org/news/.

Release schedule for WordPress 6.3 beta/RC releases can be found here.

How can I report security issues?

WordPress security team accepts security issues through our HackerOne program, which can be found here. The general eligibility criteria for reports is mentioned in the program policy and must be followed.

Do existing vulnerabilities qualify if I report them during the beta period?

No, the intent of the bonus is to catch security bugs before they make it into a final release, so only vulnerabilities in new code qualify.

We have more info in this previous announcement.

#bounties