🦸 💥 Calling all superheroes and hunters! Introducing the End of Year Holiday Extravaganza and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program
Through December 9th, 2024, all in-scope vulnerability types for WordPress plugins/themes with >= 1,000 Active Installations are in-scope for ALL researchers, all plugins and themes that are hosted in the WordPress.org repository with at least 50 active installs that have been updated in the last 2 years will be in-scope for ALL researchers, the minimum bounty awarded for all in-scope submissions will be $5, and ALL researchers earn automatic bonuses of 5%-180% for valid submissions in software with 1,000 - 4,999,999 active installs, pending report limits are increased for all, and it's possible to earn up to $31,200 for high impact vulnerabilities!
Review what's in scope for your tier and updated bounties with bonuses here!
Bug Bounty Program — Reward Payment Schedule
Welcome to the payout hub of our bug bounty program! Here you’ll find the complete details of our bounty payout ranges and bonuses, curated to reflect the importance of your contributions. Your efforts to uncover vulnerabilities in our open source ecosystem are invaluable, and we believe it's essential to reward your hard work appropriately.
The bounty payout is determined by a multitude of factors including the severity of the vulnerability, its likelihood of exploitation, and the potential impact on users. We've divided vulnerabilities into four ranks: Low, Medium, High, and Critical, each with its own payout range. Whether you've unearthed a Cross-Site Request Forgery or exposed an Unauthenticated Remote Code Execution, we've designed our payout structure to reflect the diverse nature of these vulnerabilities.
Please note that our Vulnerability Rank is not solely based on the CVSS score. We also take into account internal metrics to determine how impactful a vulnerability could be to both the site owner and the larger WordPress community. Factors like the likelihood of exploitation, active installation count of affected software, and the likelihood of vulnerability discovery play a crucial role in determining a vulnerability’s payout.
Along with the base bounty, we also offer bonus multipliers, designed to reward the extra mile you go in your quest for bugs. Whether you handle responsible disclosure yourself, provide evidence of active exploitation, or find a new technique, there's a bonus multiplier for you. Plus, once you earn a 1337 Wordfence Vulnerability Researcher status, you are automatically eligible for a bonus on all vulnerabilities found and reported to our program.
Our payout structure is detailed below, along with examples to illustrate potential payouts. Also, we've outlined bonus multipliers and the criteria for earning them.
We believe in recognizing every piece of the puzzle you help solve. Every vulnerability you uncover, every bug you squash, contributes significantly to the integrity of our open source software. As you navigate through this bounty landscape, remember that your efforts are making a difference.
Scroll down to explore the bounty payout ranges, sample payouts, and bonus opportunities. Each bounty you tackle brings us closer to a safer, more secure open source community, and we can't wait to see what you'll uncover next!
Bounty Reward Possibilities
All vulnerability types that are in-scope will be in-scope for all researchers in all WordPress plugins and themes with >= 1,000 Active Installations AND all plugins and themes hosted in the WordPress.org repository with at least 50 active installs that have been updated in the last 2 years will be in-scope for ALL researchers. In addition, Standard Researchers will receive an automatic bonus of 5-30% on all submissions in software with 1,000 to 4,999,999 Active Installs, Resourceful Researchers will receive an automatic 20-120% bonus on all submissions in software with 1,000 to 4,999,999 Active Installs, while 1337 Researchers will receive an automatic 30-180% bonus on all submissions in software with 1,000 to 4,999,999 Active Installs. All researchers' pending report limits have also been temporarily increased for the promotion and the minimum bounty we will award during this period is $5.
Finally, all in-scope submissions for plugins and themes with >= 5,000,000 Active Installations will earn triple our top non-bonused bounties, making our highest reward $31,200!
Please note that the bounty estimator provides an estimated reward amount only and is subject to change at any time. Any estimate provided by the bounty estimator is not a guarantee of a specific reward amount. Many factors can impact the bounties we award such as:
- Prerequisites to exploit, such as software settings or specific server configuration
- Ease and replicability of exploitation (i.e. can the vulnerability be automatically exploited across various environments)
- Active user interaction, or unlikely passive user interaction, as a requirement to exploit
- The impact the vulnerabilities has on the site as a whole (i.e. to what extent does the vulnerability impact the CIA of the site).
- PHP Object Injection will be awarded at the highest level of impact if a usable gadget is present in the software, or in the current version of WordPress Core.
Bug Bounty Bonuses
All vulnerability types that are in-scope will be in-scope for all researchers in all WordPress plugins and themes with >= 1,000 Active Installations AND all plugins and themes hosted in the WordPress.org repository with at least 50 active installs that have been updated in the last 2 years will be in-scope for ALL researchers. In addition, Standard Researchers will receive an automatic bonus of 5-30% on all submissions in software with 1,000 to 4,999,999 Active Installs, Resourceful Researchers will receive an automatic 20-120% bonus on all submissions in software with 1,000 to 4,999,999 Active Installs, while 1337 Researchers will receive an automatic 30-180% bonus on all submissions in software with 1,000 to 4,999,999 Active Installs. All researchers' pending report limits have also been temporarily increased for the promotion and the minimum bounty we will award during this period is $5.
Finally, all in-scope submissions for plugins and themes with >= 5,000,000 Active Installations will earn triple our top non-bonused bounties, making our highest reward $31,200!
The following outlines some bonuses Wordfence may award select vulnerabilities with as long as the criteria is met.
Proof of Active Exploitation on an 0-day?
15%
Chaining Master!
15%
Creative Vulnerability Finder
10%
Meaningful Researcher
10%
1337 Wordfence Vulnerability Researcher Program Bonus
5%
Affects Multiple Assets?
Varies
This may be limited to 100 affected software pieces. A researcher is only eligible for this bonus if they have documented all affected software and versions in their report.
Affects Multiple Functions?
Varies
Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!
Learn moreWant to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.
The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.
Documentation