Wrap Up the Year with the Biggest Scope and Rewards Yet: Join the Wordfence Bug Bounty Program End of Year Holiday Extravaganza!

The holidays are here, and so is your chance to earn big while helping secure the WordPress ecosystem! For all submissions to our Bug Bounty Program from November 12, 2024, to December 9, 2024, we’re rolling out our End of Year Holiday Extravaganza promotion to give back to our security researchers and help clean up the WordPress ecosystem.

This exciting event is packed with expanded scope, higher submission limits, and bigger bonuses—all aimed at ending the year with a bang while also educating up and coming developers on security best practices.

During the last promotion, we received nearly 700 vulnerability submissions and awarded over $40,000 in bounties. This time, we aim to take the promotion to the next level with a goal to receive over 1,000 submissions and award more than $100,000 in bounties—creating a truly exciting opportunity for our researchers!


Key Highlights of the End of Year Holiday Extravaganza

  • Promotion Dates: November 12, 2024 – December 9, 2024
  • Expanded Scope: All plugins and themes with >= 1,000 active installs are in-scope for all researchers AND plugins and themes hosted on WordPress.org with 50–999 active installations, updated within the last 2 years, are now in scope for all researchers.
  • Automatic Bonuses ranging from 5%–180%, based on active installs and researcher tier.
  • Minimum Bounty: $5 for any in-scope vulnerability reported during the promotion period.
  • Increased Pending Report Limits for all researcher levels.
  • Superhero Challenge Extended Again: Earn up to $31,200 for high-impact findings in plugins and themes with 5,000,000+ active installs!

Expanded Scope for Smaller Plugins & Themes: An Opportunity to Educate Up-and-Coming Developers on Security Best Practices

This year’s Holiday Extravaganza introduces a focus on plugins and themes hosted on WordPress.org with 50–999 active installations and updated within the last 2 years. By opening the doors to smaller projects, we’re addressing vulnerabilities in areas that often get overlooked.

Why is this important?

  • Cleaning Up the Ecosystem: By targeting smaller plugins early on, we can address vulnerabilities before these plugins and themes grow in popularity and impact. This proactive approach helps protect WordPress users at all stages of plugin adoption.
  • Educating Developers: Many developers of smaller plugins may not yet have security best practices in place. This is a chance to help them build more secure projects from the ground up.

Our goal is to educate developers on security best practices while their plugins still have a small user base, reducing the risk of introducing major vulnerabilities as they grow. We hope this leads to more patches and secured plugins rather than plugin closures, contributing to a safer, more resilient ecosystem.

Important Notes:

  • Only plugins and themes that have been updated within the last two years and have at least 50 active installations may be eligible for bounties.
  • Researchers can expect a minimum bounty of $5 for any vulnerabilities reported in these plugins and themes.
  • Plugins or themes created during the promotion period are out-of-scope. Additionally, only plugins or themes hosted on the WordPress.org repository are eligible.

Save Up for the Holidays: Boosting Opportunities for All Researchers

We’re ensuring all researchers can benefit from this End of Year Holiday Extravaganza by offering higher submission limits and automated bonuses on all accepted vulnerabilities. We’ve essentially extended last month’s Cybersecurity Month Spooktacular Haunt, but with increased bonus rewards for our top-tier researchers and an introduced automatic bonus for our standard researchers.

Here’s what you can expect:

Automatic Valid Submission Bonuses:

We’re offering automatic bonuses for all valid submissions based on the active installation count of the software and the submitting researcher’s tier:

  • Standard Researchers: Bonuses from 5% to 30% for software with at least 1,000 active installs, but fewer than 5,000,000 active installs.
  • Resourceful Researchers: Bonuses from 20% to 120% for software with at least 1,000 active installs, but fewer than 5,000,000 active installs.
  • 1337 Researchers: Bonuses from 30% to 180% for software with at least 1,000 active installs, but fewer than 5,000,000 active installs.

Increased Pending Report Limits:

  • Standard Researchers: Pending report limit increases to 30, up from 5.
  • Resourceful Researchers: Pending report limit is now 45, up from 15.
  • 1337 Researchers: Pending report limit is boosted to 60, up from 30.

These bonuses are designed to help you earn more while contributing to a more secure WordPress ecosystem—and save up for the holidays!

For a detailed breakdown of the bonus structure and what’s in scope, refer to our bonus chart here:


The Superhero Challenge Extended: Earn Up to $31,200!

For those of you ready to take things to the next level, the Superhero Challenge has been extended! Researchers can earn up to $31,200 for high-impact vulnerabilities discovered in plugins and themes with 5,000,000+ active installations. This is your chance to make a significant impact on the WordPress ecosystem while earning some huge rewards!

Whether you’re targeting high-traffic plugins or working on lesser-known gems, the Superhero Challenge offers a chance to boost both your reputation and your bank account with top-tier finds.


How to Participate: Join the End of Year Holiday Extravaganza and Help Us Secure WordPress!

Ready to make a real impact on WordPress security—and earn some amazing rewards along the way?

The End of Year Holiday Extravaganza is your chance to join the hunt for vulnerabilities and contribute to a safer, more secure WordPress ecosystem. Here’s how to get started:

🎯 Explore the Program Details

Head over to our Bug Bounty Overview for the full breakdown of our program. From expanded scope to increased bonuses, you won’t want to miss all the exciting opportunities!

🎅 Sign Up as a Researcher & Join our Discord Server

If you haven’t joined yet, sign up to become a researcher today! It’s free to join, and you’ll be part of a growing community of security experts working together to protect WordPress. You can also join our Discord server to collaborate directly with our team and other talented researchers.

🔍 Start Submitting Vulnerability Reports

Once you’re signed up, start submitting your vulnerability reports through our portal. Whether you’re targeting plugins and themes with fewer than 1,000 active installs or going for high-impact findings in the Superhero Challenge, there’s a reward waiting for you.

💰 Earn Incredible Rewards

This isn’t just about securing WordPress—it’s about earning amazing rewards for your hard work. With automatic bonuses, higher submission limits, and the chance to win up to $31,200 for Superhero Challenge findings, it’s the perfect way to end the year on a high note!

Don’t miss out on this fantastic opportunity to make a difference in WordPress security while building your holiday savings!


Wordfence’s Commitment to WordPress Security

At Wordfence, we remain committed to advancing WordPress security research. Since launching our Bug Bounty Program in November 2023, we’ve awarded close to $400,000 in bounties.

We ensure that vulnerabilities are disclosed confidentially to vendors, who we work with to patch and release updates before any findings are made public. We then share prominent vulnerabilities on our blog to help other security vendors improve their products and raise awareness within the community about the importance of keeping software up to date.

In addition to our bug bounty program, Wordfence offers a free, comprehensive vulnerability database accessible through a web interfacewebhook integration, and API.

While some vendors treat vulnerabilities as proprietary, we believe they should be considered public information, and we do not charge for access to our database. Our commitment to timely and responsible disclosure further underscores our mission to secure the Web.

Did you enjoy this post? Share it!

Comments

No Comments