Chloe Chamberland
August 15, 2024

Earn Up to $31,200 Per Vulnerability: Introducing the WordPress Bug Bounty Superhero Challenge!

Today, we’re incredibly excited to launch a new challenge for the Wordfence Bug Bounty Program: the WordPress Superhero Challenge! Through October 14th, we’re introducing a new active installation count range for our bounties for plugins and themes with 5,000,000+ active installations and we are tripling our current top bounties for this new range.

This means that our top bounty during the challenge will be $31,200!

We’re calling all leading researchers who are up for the challenge. While all WordPress vulnerability researchers are heroes in our eyes, it often takes a superhero to find a vulnerability in a plugin or theme with over 5,000,000 active installs thanks to the rigorous testing that these products endure prior to entering production. By running this challenge, we want to supercharge the amount of research going into these extremely popular products, thereby improving the security of hundreds of millions of visitors to sites with these products installed.

We are also introducing a new badge for this challenge, the “WordPress Superhero” badge which will be unlocked for any researcher who submits a critical or high severity vulnerability in a plugin or theme with >= 5,000,000 Active Installs. Check it out below:

To spark some inspiration, here is a list of some bounty reward possibilities during the Superhero Challenge:

  • $31,200 for an Unauthenticated Arbitrary PHP File Upload Vulnerability (where the uploaded file can be executed)
    • $23,400 if it requires Subscriber-level Authentication to exploit
    •  $3,900 if it requires Contributor/Author-level Authentication to exploit
  • $31,200 for an Unauthenticated Remote Code Execution Vulnerability
    • $23,400 if it requires Subscriber-level Authentication to exploit
    • $3,900 if it requires Contributor/Author-level Authentication to exploit
  • $31,200 for an Unauthenticated Privilege Escalation to Admin or Authentication Bypass to Admin Vulnerability
    • $23,400 if it requires Subscriber-level Authentication to exploit
    • $3,900 if it requires Contributor/Author-level Authentication to exploit
  • $21,600 for an Unauthenticated Arbitrary File Deletion Vulnerability
    • $16,200 if it requires Subscriber-level Authentication to exploit
    • $2,700 if it requires Contributor/Author-level Authentication to exploit
  • $9,600 for an Unauthenticated Arbitrary File Read Vulnerability
    • $7,200 if it requires Subscriber-level Authentication to exploit
    • $1,200 if it requires Contributor/Author-level Authentication to exploit
  • $9,600 for an Unauthenticated SQL Injection Vulnerability
    • $7,200 if it requires Subscriber-level Authentication to exploit
    • $1,200 if it requires Contributor/Author-level Authentication to exploit
  • $3,840 for an Unauthenticated Stored Cross-Site Scripting Vulnerability
    • $2,880 if it requires Subscriber-level Authentication to exploit
    • $480 if it requires Contributor/Author-level Authentication

For more information on all the bounties we award, check out our bounty calculator here.

Wordfence continues to provide more funding for WordPress security research than any other organization. To date, we have awarded over $300,000 in bounties since the Bug Bounty Program launched in November of last year (2023). The vulnerabilities discovered are confidentially disclosed to vendors, who we work with to ensure their products are patched and released before any research is published. We then publish prominent vulnerabilities on our blog to help other security vendors improve their products, and to create awareness in the community about the risks of not updating.

Wordfence also provides a completely free vulnerability database via a web interface along with a webhook integration and an API that are both free to use. While some vendors consider vulnerabilities proprietary, we consider them public property, and to that end we do not charge for our vulnerability database or have any time limits on when a vulnerability is published in the database, other than the responsible disclosure period during which a vendor is fixing their product.

By funding more vulnerability research than any other organization and releasing vulnerabilities to the community in a timely fashion, we further our mission of securing the Web.

If you are a vulnerability researcher, know that the WordPress community is grateful for the important work that you do, and the Wordfence team is proud to join you in fulfilling our mission of securing the Web. If you’re not a researcher yet, get started by learning more and signing up here. Happy hunting!

Wordfence Bug Bounty Program - Unleash Your Potential

Join the Wordfence WordPress Bug Bounty Program and become a part of a thriving community of talented individuals committed to making the internet a safer place.

Join the Program

Did you enjoy this post? Share it!

LinkedIn 

Comments

4 Comments
  • RamoWill7
    August 15, 2024
    6:37 am

    What recommendations or suggestions do you have for those of us that have some programming experience and wordpress experience, but no experience in threat hunting whatsoever? Does Wordfence / Defiant offer any courses or certifications in how to do this? Or can you make any recommendations? (LinkedIn Learning, Udemy, etc. ?) *Note*: I am aware of this: https://www.wordfence.com/learn/ and I'm actively going through it now. Any additional help or resources would be greatly appreciated. Thank you!

    • Chloe Chamberland
      August 16, 2024
      8:15 am

      Hi there! Unfortunately, we do not offer any courses or certifications at this time. However, we do have several resources around. The learning center is a great start, as well as this PDF on some common coding flaws and how to prevent them: https://www.wordfence.com/wp-content/uploads/2021/07/Common-WordPress-Vulnerabilities-and-Prevention-Through-Secure-Coding-Best-Practices.pdf

      We're also in the process of creating and publishing a beginners researcher series, and the first two posts can be found here: https://www.wordfence.com/blog/2024/07/wordpress-security-research-a-beginners-series and here: https://www.wordfence.com/blog/2024/07/wordpress-security-research-series-wordpress-request-architecture-and-hooks/ I recommend signing up for the mailing list to ensure your updated when each post in the series gets published.

      Aside from those resources, I would recommend getting set up with all the necessary tools (Burp Suite, PHPStorm/VSCode, and a local testing instance) and then review our vulnerability database for recently disclosed vulnerabilities and practice exploiting them along with diving into why the flaw was created in the first place by reviewing the patched/unpatched diffs.

      Finally, you should join our Discord server! There are some great resources in there as well as several other researchers, both experienced and new, that are happy to help provide guidance along the way. https://discord.com/invite/awPVjTNTrn

      • RamoWill7
        August 16, 2024
        12:41 pm

        Excellent. Thank you very much! I'll check those resources out!

        • Chloe Chamberland
          August 21, 2024
          6:02 am

          You're welcome!

Breaking WordPress Security Research in your inbox as it happens.

Example of a news story

This site uses cookies in accordance with our Privacy Policy.