🎉Welcome to the Wordfence Intelligence Bug Bounty Program: Unleash Your Potential, Secure WordPress, and Reap the Rewards!

Standard researchers can have 5 vulnerabilities in scope of the Bug Bounty Program pending triage at any given time. On the other hand, 1337 researchers can have 30 vulnerabilities in scope of the Bug Bounty Program pending at any given time. This means that once you reach the limit, no further submissions are considered eligible for a bounty until the currently pending vulnerabilities are triaged. Out-of-Scope vulnerabilities submitted correctly do not count against the pending triage limit.

Vulnerabilities are triaged in order of vulnerability impact and number of users affected. The most critical and impactful vulnerabilities will be processed first, with the least impactful being triaged last.

It’s easy to participate in the Bug Bounty Program! Simply sign-up using this form or set up your researcher profile through an existing account by going to your account page and scrolling to the bottom. Once you are ready, you can submit a vulnerability using this form. If the vulnerability is in scope of the Bug Bounty Program and submitted via that form, it will automatically be considered for participation in the Bug Bounty Program. Make sure to review all rules and guidelines prior to participating so you know exactly what to expect.

Bounty reward payouts are processed twice a month: once on the first (1st) of the month and once on the fifteenth (15th) of the month. Any bounty accrued during the period before the next reward payout date will be paid in bulk on the day of processing.

If you do not have a PayPal address on file at the time of reward payout processing, you will need to wait until the next reward payout date to receive any accrued bounties.

Currently, all reward payments are sent through PayPal. Please make sure you have a PayPal email address on file here.

If you are already a registered user on wordfence.com, then you can simply log in to your account page, scroll to the bottom and then follow the instructions to set up your researcher profile. These details will show up in the Wordfence Intelligence User Interface once you’ve submitted at least one valid vulnerability that is in production.

There is no maximum amount of bounties you can earn! The opportunities are endless.

Yes, Wordfence reserves the right to ban any user from participating in the Wordfence Intelligence Bug Bounty Program. Common reasons a user may get banned are exceeding the false positive or out-of-scope vulnerability submission allowance, abusing the system by trying to undergo “bulk” automated bounty hunting, and general misconduct.

Absolutely! You can use the same vulnerability submission form, and just make sure to check the box ‘Yes’ for the question ‘Is this an out-of-scope report just for a CVE assignment or submission to the database? If yes, you will not be eligible for a Bug Bounty.’ on the form.

Absolutely! You can use the same vulnerability submission form, and just make sure to check the box ‘Yes’ for the question ‘Is this an out-of-scope report just for a CVE assignment or submission to the database? If yes, you will not be eligible for a Bug Bounty.’ on the form.

That is up to you! We are happy to handle the disclosure on your behalf, however, you are welcome to undergo the responsible disclosure process yourself as well.

If you would like us to handle the responsible disclosure process, make sure to check ‘Yes’ for the question ‘Would you like Wordfence to handle the responsible disclosure of this vulnerability on your behalf?’ when completing the vulnerability submission form.

If you do not already have an account on wordfence.com, then you should use this researcher registration form that allows you to supply all of your profile details during registration.

If you already have an account on wordfence.com, then you should access your account here.

No, they are excluded. Submitting too many of these vulnerabilities may cause you to get banned or temporarily blocked from participating in the Bug Bounty Program.

No, plugins and themes with existing Bug Bounty Programs are considered out-of-scope for participation in the Bug Bounty Program.

No, developers are not eligible for bounties in their own software. You’re more than welcome to submit the vulnerability to the database, however, you will not be awarded any bounties for the submission.

All WordPress plugins and themes with over 50,000 active installations, and no existing bug bounty program, are considered explicitly in scope for all standard researchers.

All WordPress plugins and themes with over 1,000 active installations, and no existing bug bounty program, are considered explicitly in scope for all 1337 researchers.

1. Stored Cross-Site Scripting
2. Reflected Cross-Site Scripting
3. Cross-Site Request Forgery, that has a considerable impact on a site’s security
4. Missing Authorization, that leads to a considerable impact on a site’s security
5. Arbitrary Content Deletion
6. SQL Injection
7. Insecure Direct Object Reference
8. Arbitrary File Upload
9. Arbitrary File Download/Read
10. Arbitrary File Deletion
11. Local File Include/Remote File Include
12. Directory Traversal
13. Privilege Escalation to Admin
14. Privilege Escalation to Non-Admin
15. Authentication Bypass to Admin
16. Authentication Bypass to Non-Admin
17. Remote Code Execution/Code Injection
18. Information Disclosure
19. Server-Side Request Forgery
20. PHP Object Injection
21. Intentional Backdoors Added by Developers that are Accessible by Threat Actors

• CSV Injection
• IP Spoofing, where the only impact is integrity
• Secrets (such as 2FA secrets) that are stored in plaintext in a database that can’t be exploited through another vulnerability in the plugin
• Web Application Firewall (WAF) Rule Bypasses
• CSS Injection, where this is not a considerable and demonstrable impact to site’s security
• HTML Injection, where this is not a considerable and demonstrable impact to site’s security
• DoS Vulnerabilities, where this is not a considerable and demonstrable impact to site’s security
• CAPTCHA Bypasses
• CORS Issues
• Software containing vulnerable packages or dependencies that are not verifiably exploitable in that plugin or theme
• Any Vulnerability requiring PR:H to Exploit (Administrator, Editor, and Shop Manager roles fall into this category)
• Open Redirect
• TabNabbing
• Vulnerabilities dependent on successfully exploiting a race condition that is not easily replicable in a common configuration.
• Cache Poisoning, where this is not a considerable and demonstrable impact to site’s security
• TOCTOU, where this is not a considerable and demonstrable impact to site’s security
• Self Cross-Site Scripting
• Issues that lead to Username Enumeration
• Theoretical Vulnerabilities
• Lack of HTTP Headers
• Clickjacking
• Cross-Site Request Forgery on unauthenticated forms or on forms with no sensitive actions (examples include disabling a non-critical admin notice)
• Vulnerabilities that only affect users of outdated or unpatched browsers (An outdated or unpatched browser is considered 2 stable versions behind the latest released version).
• Any vulnerability with a CVSS 3.1 score that is lower than 4.0 and can’t be leveraged to achieve a higher score.
• Vulnerabilities only exploitable on configurations running EOL versions of software, such as PHP, mysql, apache, nginx, openssl
• Any SQL Injection that requires wp_magic_quotes to be disabled in order to exploit
• Security issues or vulnerabilities that require local access to the server to exploit
• Vulnerabilities that can only be exploited by an administrator explicitly granting access to a lower-privileged user
• Vulnerabilities that require brute force to exploit

Once your profile has been approved for the first time, you can manage your payment and reward payout history here. If you chose to use the same email for PayPal and your email address during registration, your email will automatically be there. Otherwise, you can add your preferred PayPal address here. This is also where you will see all of your upcoming rewards and reward payout history once you have approved bounties.

To be considered for "1337 Wordfence Vulnerability Researcher" status, a Researcher must meet and maintain the following requirements.

• The Researcher must complete at least one of the following:
  • Discover and submit 5 or more Critical Severity, High Impact Vulnerabilities with high quality reports.
  • Discover and submit 10 or more High Severity, High Impact Vulnerabilities with high quality reports.
• In addition to completing at least one of the following:
  • Discover and submit 15 high quality Vulnerability reports. These reports have very detailed information and an easy to validate proof of concept.
  • Has not submitted more than 10 false positive or out-of-scope Vulnerability reports.
  • Submit proof of approved offensive security certification or other mastery security certification. The following list is exhaustive, and additional qualifying certifications may be added over time: OSCP, OSWA, OSWE, OSEP, OSED, eWPTx, eWPT, CISSP, CISM, CISA.
• To maintain 1337 Wordfence Vulnerability Researcher credibility, a Researcher must ensure the following is completed each year:
  • Ensure you don't submit more than 10 false positive or out-of-scope Vulnerability reports.
  • Report at least 5 critical severity Vulnerabilities
  • Report at least 10 medium severity Vulnerabilities
  • Ensure you don't submit more than 10 low-quality Vulnerability reports