Chloe Chamberland
January 23, 2024

Our Bug Bounty Program Extravaganza is Back and it’s Longer This Time – Earn up to $10,000 for Vulnerabilities in WordPress Software!

At Wordfence our mission is to Secure The Web. WordPress powers over 40% of the Web, and Wordfence secures over 4 million WordPress websites. Our last extravaganza, the Holiday Bug Extravaganza, was so successful we decided to do it again to kick off the New Year right. Introducing our New Year Bug Extravaganza! Through February 29th, 2024, all researchers will earn a 6.25x multiplier on all of our awarded bounties making the top bounty through our Bug Bounty Program $10,000.

That’s 37 days to find the biggest and baddest vulnerabilities in WordPress, and reap the largest rewards in the history of WordPress plugins and themes.

If you missed out on the last extravaganza, this is your chance to help contribute to making WordPress a safer ecosystem! As a reminder, we republish these vulnerabilities for free and at no cost for use by vendors, researchers, and anyone else interested, to help secure the WordPress community. That includes free programmatic access via our API. It also includes free use of the data to mass scan WordPress servers for vulnerabilities via Wordfence CLI, which includes completely free vulnerability scanning with no limitations.

Get started by signing up as a researcher and submitting a vulnerability today!

REGISTER AS A RESEARCHER    SUBMIT VULNERABILITY

We also just launched a Discord Community for Security Researchers participating in our Bug Bounty Program! If you’re a researcher looking to collaborate and chat with others in the community, join our Discord today!

 JOIN THE WORDFENCE BBP DISCORD

Please note that we have one additional requirement for this extravaganza: Given the high payouts, we require that Wordfence handle the responsible disclosure process for vulnerabilities submitted during the extravaganza, instead of the researcher interacting with the vendor directly. Most researchers prefer this approach and ask us to handle responsible disclosure, because having Wordfence reach out tends to get a faster response. We’ve made this a requirement for the extravaganza so that we can directly work with vendors to validate vulnerabilities. There will be no delay in disclosure and no delay in adding vulnerabilities to our database, workload permitting.

Examples of Bounty Rewards You Can Earn with the current New Year Bug Extravaganza Multiplier: 

Important: Our bounty rates were updated on March 1st, 2024 and may differ from what you see here. 

  • $1,600 $10,000 for an Unauthenticated Remote Code Execution, Arbitrary File Upload, Privilege Escalation to Admin, Arbitrary Options Update, or Authentication Bypass to Admin in a plugin/theme with 1,000,000+ installs.
    • $1,200 $7,500 if the plugin/theme is within the 500,000 – 999,999 active install count range
    • $600 $3,750 if the plugin/theme is within the 100,000 – 499,999 active install count range
    • $400 $2,625 if the plugin/theme is within the 50,000 – 99,999 active install count range
    • $200 $1,250 if the plugin/theme is within the 1,000 – 49,999 active install count range **
    • All bounty rewards decrease as authentication requirements increase, and may decrease if the vulnerability is highly complex to exploit or the impact is limited (i.e. non-default setting required). Please note that vulnerabilities such as Cross-Site Scripting or Sensitive Information Disclosure that can lead to the high impact exploitation do not fall into this category. All bounties are awarded based on root impact. 
  • $800 $5,000 for an Unauthenticated SQL Injection or Local File Include in a plugin/theme with 1,000,000+ installs.
    • $600 $3,650 if the plugin/theme is within the 500,000 – 999,999 active install count range
    • $300 $1,875 if the plugin/theme is within the 100,000 – 499,999 active install count range
    • $200 $1,250 if the plugin/theme is within the 50,000 – 99,999 active install count range
    • $100 $625 if the plugin/theme is within the 1,000 – 49,999 active install count range **
    • All bounty rewards decrease as authentication requirements increase, and may decrease if the vulnerability is highly complex to exploit or the impact is limited (i.e. non-default setting required).
  • $320 $2,000 for an Unauthenticated Stored Cross-Site Scripting, Missing Authorization, PHP Object Injection (w/no useable gadget), Sensitive Information Disclosure, or Server-Side Request Forgery vulnerability in a plugin/theme with 1,000,000+ Installs
    • $240 $1,500 if the plugin/theme is within the 500,000 – 999,999 active install count range
    • $120 $750 if the plugin/theme is within the 100,000 – 499,999 active install count range
    • $80 $500 if the plugin/theme is within the 50,000 – 99,999 active install count range
    • $40 $250 if the plugin/theme is within the 1,000 – 49,999 active install count range **
    • All bounty rewards decrease as authentication requirements increase, and may decrease if the vulnerability is highly complex to exploit or the impact is limited (i.e. non-default setting required).
  • $80 $500 for an Reflected Cross-Site Scripting, Cross-Site Request Forgery, or Basic Information Disclosure vulnerability in a plugin/theme with 1,000,000+ Installs
    • $60 $375 if the plugin/theme is within the 500,000 – 999,999 active install count range
    • $30 $187.50 if the plugin/theme is within the 100,000 – 499,999 active install count range
    • $20 $125 if the plugin/theme is within the 50,000 – 99,999 active install count range
    • $10 $62.50 if the plugin/theme is within the 1,000 – 49,999 active install count range **
    • All bounty rewards are based a required user interaction component & no authentication, and may decrease if the vulnerability is highly complex to exploit or the impact is limited (i.e. non-default setting required)

**1337 Researchers only. 

How to Participate in the Wordfence New Year Bug Extravaganza: 

  1. Review our Reward Payout Schedule here, along with our terms and conditions.
  2. Register as a researcher. Please note all profiles are moderated within 72 hours (typically much faster), but you can submit your first vulnerability while waiting for profile approval.
  3. Submit your vulnerability using the vulnerability submission form whenever you are ready.
  4. Kick back and relax while the Wordfence team validates the report, awards you a bounty, and works with the developer to ensure it gets patched.

Please share and forward this with your friends so everyone can take advantage of this incredible extravaganza!

Did you enjoy this post? Share it!

LinkedIn 

Comments

No Comments

Breaking WordPress Security Research in your inbox as it happens.

Example of a news story

This site uses cookies in accordance with our Privacy Policy.