WordPress XSSplorer Challenge: An Expanded Scope for All Researchers in the Wordfence Bug Bounty Program

From now through October 7th, 2024, we are expanding the scope of our Bug Bounty Program to include all Cross-Site Scripting (XSS) vulnerabilities—both Reflected and Stored—in any WordPress plugin or theme with at least 1,000 active installations for all researchers. This temporary scope expansion applies to all researchers, regardless of their current tier, providing an opportunity for everyone to explore well over 12,000 software targets for XSS vulnerabilities.

We’re calling this the WordPress XSSplorer Challenge, an initiative designed to encourage researchers at all levels to explore the WordPress ecosystem and uncover as many XSS vulnerabilities as possible.

An Opportunity for Researchers of All Levels

Recognizing that our bug bounty program can be challenging for those new to the WordPress Bug Bounty space due to minimum install count requirements, we’re providing an inclusive opportunity for everyone – whether you’re just starting out or already a seasoned researcher – to explore one of the most common vulnerabilities in WordPress.

Cross-Site Scripting (XSS) vulnerabilities are frequently introduced and widely found, making this challenge an excellent entry point for new researchers and a rewarding focus for experienced ones.

We’re anticipating an unprecedented level of participation and expect to see record numbers of vulnerabilities identified and remediated. Your contributions will directly enhance the security of millions of WordPress users worldwide.

Introducing the XSS Achievement Badge

To mark this occasion, we are also introducing a new Achievement Badge for Cross-Site Scripting (XSS) vulnerabilities. Any researcher who has already submitted at least one XSS vulnerability will receive this badge, and new researchers who submit their first XSS vulnerability during the challenge, or in the future, will also be awarded the badge. Check out the badge here:

If you’re not already familiar with our achievement badges, you can view them all here. 

WordPress Superhero Challenge Continues

During this period, the WordPress Superhero Challenge will also remain active, running through October 14th, 2024. This ongoing challenge offers more experienced researchers the chance to identify the most impactful vulnerabilities, with potential rewards of up to $31,200 per finding.

For detailed information on all available bounties, please refer to our bounty calculator.

Wordfence’s Commitment to WordPress Security

Wordfence remains committed to advancing WordPress security research. Since the launch of our Bug Bounty Program in November 2023, we have awarded over $320,000 in bounties. We ensure that vulnerabilities are confidentially disclosed to vendors, who we work with to patch and release updates before any findings are made public. We then share prominent vulnerabilities on our blog to help other security vendors improve their products and to raise awareness within the community about the importance of keeping software up to date.

In addition to our bug bounty program, Wordfence offers a free, comprehensive vulnerability database accessible through a web interface, webhook integration, and API. While some vendors treat vulnerabilities as proprietary, we believe they should be considered public information, and we do not charge for access to our database. Our commitment to timely and responsible disclosure further underscores our mission to secure the Web.

Join the Effort to Secure the Web

If you are a vulnerability researcher, the WordPress community greatly appreciates your work, and the Wordfence team is excited to support you in our shared mission of securing the Web.

Join the Program Submit a Vulnerability

If you are interested in becoming a researcher, we encourage you to learn more and sign up here. We look forward to your participation. Happy hunting!

P.S. Stay tuned for a complete guide to hunting XSS vulnerabilities for beginners that we’ll be publishing tomorrow!

Did you enjoy this post? Share it!

Comments

2 Comments
  • This program only for unaunthenticated finding ? or both ( unaunthenticated & autheticated ) ?

    • This is for both unauthenticated and authenticated Cross-Site Scripting vulnerabilities. High-level authenticated exploits (like admin/editor) are still out of scope.