Think you found a security bug in WordPress 6.4 BetaBeta A pre-release of software that is given out to a large group of users to trial under real conditions. Beta versions have gone through alpha testing in-house and are generally fairly close in look, feel and function to the final product; however, design changes often occur as part of the process.?

The WordPress Security Team wants to find potential security issues before they land in the final WordPress release. Like last time, we’d love to see researchers focusing more of their attention on new code being introduced in beta releases, so we’re offering to double the bounty for any new vulnerability in CoreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. that is reported after Beta 1 and before the final release candidateRelease Candidate A beta version of software with the potential to be a final product, which is ready to release unless significant bugs emerge. (RCRelease Candidate A beta version of software with the potential to be a final product, which is ready to release unless significant bugs emerge.).

For example, a bug that would normally be awarded $600 would be doubled to $1200 if reported in the new code between Beta 1 and the final RC.

Release schedule for WordPress 6.4 Beta/RC releases can be found here (Beta 1 is scheduled for today). There’s usually about a month between the first beta and the last release candidate (RC).

How can I report security issues?

WordPress security team accepts security issues through our HackerOne program. The general eligibility criteria for reports is mentioned in the program policy and must be followed.

Do existing vulnerabilities qualify if I report them during the beta period?

No, the intent of the bonus is to catch security bugs before they make it into a final release, so only vulnerabilities in new code qualify.