Are you a security researcher dedicated to uncovering vulnerabilities in WordPress plugins and themes, or are you a seasoned Bug Bounty Hunter uncovering the worst of the worst? Whether you're an aspiring WordPress vulnerability researcher, an experienced bug bounty hunter, or simply passionate about contributing to the WordPress ecosystem, you've come to the right place!
Join the Wordfence WordPress Bug Bounty Program and become a part of a thriving community of talented individuals committed to making the internet a safer place. Our program celebrates and rewards your invaluable contributions to WordPress security, recognizing the hard work and expertise of researchers like you.
By joining our mission, you'll enjoy a range of benefits that include:
All WordPress plugins and themes, free and premium (excluding those listed in Out of Scope Assets) with
Any Install Count *
>= 1,000 Active Installations
for selected High Threat Vulnerabilities exploitable by unauthenticated or low-level authenticated attackers:
* Revised Active Installation thresholds apply only for the duration of the current promotional period.
Assets with fewer than 1,000 active installations must be hosted in the WordPress.org repository to be considered in-scope.
For other vulnerabilities, all WordPress plugins and themes, free and premium (excluding those listed in Out of Scope Assets) are in scope with active installation thresholds that vary with your Researcher tier:
>= 50 Active Installations *
>= 50,000 Active Installations
>= 50 Active Installations *
>= 15,000 Active Installations
>= 50 Active Installations *
>= 1,000 Active Installations
* Revised Active Installation thresholds apply only for the duration of the current promotional period.
Assets with fewer than 1,000 active installations must be hosted in the WordPress.org repository and have been updated within the last 2 years to be considered in-scope.
If in doubt on what's in scope for your tier, use our bounty estimator to check if your discovery is in scope, or out of scope.
There are some assets explicitly out of scope of our bug bounty program which are listed below. Please note this list is non-exhaustive and there may be other products not currently listed in our Out-Of-Scope Asset List that are considered out of scope. If you would like to confirm whether a specific product is in-scope prior to submission, please contact us at wfi-support@wordfence.com. We will still assign CVE IDs to any vulnerabilities listed in the products below.
Additionally, Plugins or Themes Closed to Downloads or Sales at the time of submission, or any web service associated with a WordPress plugin or theme that is not run locally (such as an API running on a plugin vendor’s website) is considered out of scope.
We may still assign CVEs to any vulnerabilities discovered in the products outlined above, however, they will not be eligible for a bounty through our bug bounty program.
All issues in WordPress Plugins and Themes with a considerable impact to the confidentiality, integrity, and availability of a WordPress site are considered in scope of this program as long as they do not require high level permissions, such as administrator or editor (i.e. CVSSv3.1 PR:H) to exploit. The following is a list of some common vulnerabilities that will be accepted.
Vulnerabilities that have a minimal impact on the security of WordPress sites, or are unlikely to be successfully exploited in the wild will likely be considered out of scope for the program.
We may still assign CVEs to any vulnerabilities discovered in the out of scope list above, however, they will not be eligible for a bounty through our bug bounty program.
All researchers have a limit to the number of vulnerabilities that can be actively submitted and pending triage at one time for participation in the Bug Bounty Program. The following outlines these pending report limits:
* Revised pending in-scope reports allowances apply only for the duration of the current promotional period.
Out-of-scope submissions adequately marked as such upon submission do not count against this limit so you can still request CVEs for anything that would not constitute a bounty under our program.
This allows us to control the flow of submissions to ensure we can sustain reasonable triage times for all of our researchers and everyone has a fair chance at submitting qualifying vulnerabilities.
As soon as you get the message that a submitted vulnerability is validated, or it has been rejected, that means you have one more open slot to submit a vulnerability. Pro-tip: You will know if you are at your pending report limit by accessing the vulnerability submission form. If you get a notice that you are at your limit then you can not submit any more vulnerabilities for participation in the Bug Bounty Program. If you do not get a notice, then you are all clear to submit another bounty-eligible report.
For a more detailed overview, please read our terms and conditions.
There are various researcher tiers that control what your scope is and how many pending vulnerability submission reports you can have at any given time.
Every registered researcher starts out in our standard researcher tier.
This tier allows:
These are researchers who have proven they have what it takes to provide significant and meaningful contributions to security of the WordPress ecosystem.
This tier allows:
To unlock this tier, you must:
and:
Additional Benefits
These are researchers who have demonstrated exceptional and meaningful research in the WordPress ecosystem.
This tier allows:
To unlock this tier, you must:
and:
and:
Additional Benefits
* These active installation thresholds and pending in-scope report limits apply only for the duration of the current promotional period.
Assets with fewer than 1,000 active installations must be hosted in the WordPress.org repository to be considered in-scope.
Qualifying vulnerabilities are not based on CVSS score, but rather a combination of CVSS scoring and the threat factor (i.e. likelihood of mass exploitation) of the vulnerability. The following outlines vulnerabilities that are critical and high "severity" qualifying vulnerabilities. This list is exhaustive, but exceptions may be made for vulnerabilities on a case by case basis. Please note that these all assume there are no prerequisites to exploit (i.e. settings or user interaction). In order for a vulnerability to qualify, the vulnerable plugin or theme should have >=50,000 active installations.
Our goal with the Wordfence Bug Bounty Program is to get the most impactful and harder to find vulnerabilities remediated before threat actors can find and exploit them as an 0-day. This means we award the highest bounty rewards for things like authentication bypasses, privilege escalation, arbitrary file uploads, and arbitrary options updates while easier to find vulnerabilities like Cross-Site Scripting, or less likely to be exploited vulnerabilities, like vulnerabilities that require contributor-level access or user interaction to exploit, are awarded far less. We hope this encourages researchers to spend more time focusing on harder to find critical issues that greatly increase the overall security of the WordPress ecosystem.
All bounty rewards are based on how many active installations the vulnerable piece of software has, the type of vulnerability being reported, the authentication requirements to exploit the vulnerability, the impact of the vulnerability, and what, if any, prerequisites to exploit.
Our rewards go all the way up to $31,200 for standard researchers, and $32,760 for 1337 Researchers. Use our bounty estimator to get an idea of what bounties you may be awarded for different vulnerability types:
Please note that the bounty estimator provides an estimated reward amount only and is subject to change at any time. Any estimate provided by the bounty estimator is not a guarantee of a specific reward amount. Many factors can impact the bounties we award such as:
Other important things to consider with the bounties we typically award:
In addition to our bounties, we offer bonuses for exceptional, well documented, and unique researchers. Please find all of the additional bonuses we may award listed below:
The Achievement Badges for the Wordfence Bug Bounty Program are designed to recognize the contributions and skills of participants in enhancing the security of the WordPress open-source community. Through a system of badges named "Achievements," individuals are rewarded for their expertise, perseverance, and collaborative efforts in making the WordPress environment safer. These badges signify not only personal growth and discovery but also professional development, as they are displayed on the researcher's profile, enhancing their reputation and providing clear milestones in their bug-hunting career.
This initiative encourages both seasoned and novice security researchers to engage actively, pursue continual improvement, and gain acknowledgment within the open-source ecosystem, with the promise of expanding the badge offerings in the future to further incentivize and track progress in contributing to a more secure open-source community.
This achievement is awarded to individuals who have submitted at least one valid Cross-Site Scripting (XSS) vulnerability to the bug bounty program. Please note, in order for a researcher to earn this badge the vulnerability must be submitted directly to Wordfence and must have a registered researcher account at the time of submission.
This achievement is awarded to individuals who have submitted at least one critical or high severity vulnerability in a plugin or theme with over 5,000,000 Active Installations to the Wordfence Bug Bounty Program.
This achievement is exclusively for researchers who earn the Resourceful Researcher status. These individuals have demonstrated significant and meaningful research in the WordPress Security space.
This achievement is exclusively for researchers who earn 1337 Wordfence Vulnerability Researcher status. These individuals have demonstrated exceptional and meaningful research in the WordPress Security space.
This achievement is awarded to individuals who have submitted at least one valid vulnerability to the bug bounty program. Please note, in order for a researcher to earn this badge the vulnerability must be submitted directly to Wordfence and must have a registered researcher account at the time of submission.
This achievement is awarded to individuals who have submitted at least five valid vulnerabilities to the bug bounty program. Please note, in order for a researcher to earn this badge the vulnerability must be submitted directly to Wordfence and must have a registered researcher account at the time of submission.
This achievement is awarded to individuals who have submitted at least ten valid vulnerabilities to the bug bounty program. Please note, in order for a researcher to earn this badge the vulnerability must be submitted directly to Wordfence and must have a registered researcher account at the time of submission.
This achievement is awarded to individuals who have submitted at least twenty five valid vulnerabilities to the bug bounty program. Please note, in order for a researcher to earn this badge the vulnerability must be submitted directly to Wordfence and must have a registered researcher account at the time of submission.
This achievement is awarded to individuals who have submitted at least fifty valid vulnerabilities to the bug bounty program. Please note, in order for a researcher to earn this badge the vulnerability must be submitted directly to Wordfence and must have a registered researcher account at the time of submission.
This achievement is awarded to individuals who have submitted at least seventy five valid vulnerabilities to the bug bounty program. Please note, in order for a researcher to earn this badge the vulnerability must be submitted directly to Wordfence and must have a registered researcher account at the time of submission.
This achievement is awarded to individuals who have submitted at least one hundred valid vulnerabilities to the bug bounty program. Please note, in order for a researcher to earn this badge the vulnerability must be submitted directly to Wordfence and must have a registered researcher account at the time of submission.
This achievement is awarded to individuals who have submitted at least two hundred valid vulnerabilities to the bug bounty program. Please note, in order for a researcher to earn this badge the vulnerability must be submitted directly to Wordfence and must have a registered researcher account at the time of submission.
This achievement is awarded to individuals who have submitted at least three hundred valid vulnerabilities to the bug bounty program. Please note, in order for a researcher to earn this badge the vulnerability must be submitted directly to Wordfence and must have a registered researcher account at the time of submission.
This achievement is awarded to individuals who have submitted at least four hundred valid vulnerabilities to the bug bounty program. Please note, in order for a researcher to earn this badge the vulnerability must be submitted directly to Wordfence and must have a registered researcher account at the time of submission.
This achievement is awarded to individuals who have submitted at least five hundred valid vulnerabilities to the bug bounty program. Please note, in order for a researcher to earn this badge the vulnerability must be submitted directly to Wordfence and must have a registered researcher account at the time of submission.
This achievement is awarded to individuals who have submitted at least seven hundred and fifty valid vulnerabilities to the bug bounty program. Please note, in order for a researcher to earn this badge the vulnerability must be submitted directly to Wordfence and must have a registered researcher account at the time of submission.
This achievement is exclusively for employees and contractors of Wordfence. The only way to earn this achievement is to be an employee of Wordfence, or a contractor working with Wordfence, and discover at least one vulnerability.
To be considered for "1337 Wordfence Vulnerability Researcher" status, a Researcher must meet and maintain the following requirements.
Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!
Learn moreWant to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.
The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.
Documentation