🎉 Welcome to the Wordfence Intelligence Bug Bounty Program 🎉

Unleash Your Potential, Secure WordPress, and Reap the Rewards!

Are you a security researcher dedicated to uncovering vulnerabilities in WordPress plugins and themes, or are you a seasoned Bug Bounty Hunter uncovering the worst of the worst? Whether you're an aspiring WordPress vulnerability researcher, an experienced bug bounty hunter, or simply passionate about contributing to the WordPress ecosystem, you've come to the right place!

Join the Wordfence WordPress Bug Bounty Program and become a part of a thriving community of talented individuals committed to making the internet a safer place. Our program celebrates and rewards your invaluable contributions to WordPress security, recognizing the hard work and expertise of researchers like you.

Why Participate?

By joining our mission, you'll enjoy a range of benefits that include:

Earning Rewards

Get paid rewards for your efforts in uncovering vulnerabilities in WordPress plugins and themes and strengthening the platform millions rely on. Bounty rewards all the way up to $31,200 for vulnerabilities reported to our program.

Simplifying the Disclosure Process

We handle every step of the disclosure process, ensuring that vulnerabilities in WordPress plugins and themes are disclosed professionally and you have more time to focus on research.

Empowering the WordPress Community

We'll share your research with the wider WordPress community for free, enabling others to benefit from your insights while you continue to reap the rewards.

Showcasing Your Achievements

Highlight your accomplishments in a dedicated researcher profile, demonstrating your expertise and attracting new opportunities. You can sign up as a researcher today to modify the details of your personal profile, or log in to an already existing Wordfence account and register your researcher profile.

Obtaining CVE IDs

Receive a CVE ID for each vulnerability you report, gaining industry-recognized credibility and boosting your reputation as a security expert.

Collecting Exclusive Badges

Earn unique badges that mark your achievements and stay tuned for new awards and badges, coming soon!

Competing with the Best

Track your progress against other WordPress security researchers and engage in friendly competition, with more ranking metrics coming soon!

Massive Whitebox Scope

An open source ecosystem with thousands of in-scope plugins and themes means plenty of opportunities and a lower barrier to entry.

In Scope Assets

🚨 High Threat Vulnerabilities 🚨

All WordPress plugins and themes, free and premium (excluding those listed in Out of Scope Assets) with

Any Install Count *
>= 1,000  Active Installations

for selected High Threat Vulnerabilities exploitable by unauthenticated or low-level authenticated attackers:

  • Arbitrary PHP File Upload or Read
  • Arbitrary PHP File Deletion
  • Arbitrary Options Update
  • Remote Code Execution
  • Authentication Bypass to Admin
  • Privilege Escalation to Admin
  • Stored Cross-Site Scripting
  • SQL Injection

* Revised Active Installation thresholds apply only for the duration of the current promotional period.
Assets with fewer than 1,000 active installations must be hosted in the WordPress.org repository to be considered in-scope.

All Other Vulnerabilities

For other vulnerabilities, all WordPress plugins and themes, free and premium (excluding those listed in Out of Scope Assets) are in scope with active installation thresholds that vary with your Researcher tier:

Standard Researchers

>= 50  Active Installations *
>= 50,000  Active Installations

Resourceful Researchers

>= 50  Active Installations *
>= 15,000  Active Installations

1337 Researchers

>= 50  Active Installations *
>= 1,000  Active Installations

* Revised Active Installation thresholds apply only for the duration of the current promotional period.
Assets with fewer than 1,000 active installations must be hosted in the WordPress.org repository and have been updated within the last 2 years to be considered in-scope.

If in doubt on what's in scope for your tier, use our bounty estimator to check if your discovery is in scope, or out of scope.

Out of Scope Assets

There are some assets explicitly out of scope of our bug bounty program which are listed below. Please note this list is non-exhaustive and there may be other products not currently listed in our Out-Of-Scope Asset List that are considered out of scope. If you would like to confirm whether a specific product is in-scope prior to submission, please contact us at wfi-support@wordfence.com. We will still assign CVE IDs to any vulnerabilities listed in the products below.

WordPress Core

Bug Bounty Program
Software

All Automattic Products

Bug Bounty Program
Software

All Brainstorm Force Products

Bug Bounty Program
Software

All Facebook Products

Bug Bounty Program
Software

All Google Products

Bug Bounty Program
Software

All Siteground Products

Bug Bounty Program
Software

All Yoast Products

Bug Bounty Program
Software

Additionally, Plugins or Themes Closed to Downloads or Sales at the time of submission, or any web service associated with a WordPress plugin or theme that is not run locally (such as an API running on a plugin vendor’s website) is considered out of scope.

We may still assign CVEs to any vulnerabilities discovered in the products outlined above, however, they will not be eligible for a bounty through our bug bounty program.

Explicitly In-Scope Vulnerabilities

All issues in WordPress Plugins and Themes with a considerable impact to the confidentiality, integrity, and availability of a WordPress site are considered in scope of this program as long as they do not require high level permissions, such as administrator or editor (i.e. CVSSv3.1 PR:H) to exploit. The following is a list of some common vulnerabilities that will be accepted.

  • Stored Cross-Site Scripting
  • Reflected Cross-Site Scripting
  • Cross-Site Request Forgery, that has a considerable impact on a site’s security
  • Missing Authorization, that leads to a considerable impact on a site’s security
  • Arbitrary Content Deletion
  • SQL Injection
  • Insecure Direct Object Reference
  • Arbitrary File Upload
  • Arbitrary File Download/Read
  • Arbitrary File Deletion
  • Local File Include/Remote File Include
  • Directory Traversal
  • Privilege Escalation to Admin
  • Privilege Escalation to Non-Admin
  • Authentication Bypass to Admin
  • Authentication Bypass to Non-Admin
  • Remote Code Execution/Code Injection
  • Information Disclosure
  • Server-Side Request Forgery
  • PHP Object Injection
  • Intentional Backdoors Added by Developers that are Accessible by Threat Actors

Explicitly Out of Scope Vulnerabilities

Vulnerabilities that have a minimal impact on the security of WordPress sites, or are unlikely to be successfully exploited in the wild will likely be considered out of scope for the program.

  • CSV Injection
  • IP Spoofing, where the only impact is integrity
  • Secrets (such as 2FA secrets) that are stored in plaintext in a database that can’t be exploited through another Vulnerability in the plugin
  • Web Application Firewall (WAF) Rule Bypasses
  • CSS Injection, where this is not a considerable and demonstrable impact to site’s security
  • HTML Injection, where this is not a considerable and demonstrable impact to site’s security
  • DoS Vulnerabilities, where this is not a considerable and demonstrable impact to site’s security
  • CAPTCHA Bypasses
  • CORS Issues
  • Software containing vulnerable packages or dependencies that are not verifiably exploitable in that plugin or theme
  • Any vulnerability requiring PR:H to exploit. Administrator, Editor, and Shop Manager roles, along with any other role that has the 'unfiltered_html' capability fall into this category.
  • Open Redirect
  • TabNabbing
  • Vulnerabilities dependent on successfully exploiting a race condition that is not easily replicable in a common configuration.
  • Cache Poisoning, where this is not a considerable and demonstrable impact to site’s security
  • TOCTOU, where this is not a considerable and demonstrable impact to site’s security
  • Self Cross-Site Scripting
  • Issues that lead to Username Enumeration
  • Theoretical Vulnerabilities
  • Lack of HTTP Headers
  • Clickjacking
  • Server-Side Request Forgery via DNS Rebinding
  • API Key Updates/Overwrites/Reads
  • Full Path Disclosure
  • Cross-Site Request Forgery on unauthenticated forms or on forms with no sensitive actions (examples include disabling a non-critical admin notice)
  • Vulnerabilities that only affect users of outdated or unpatched browsers (An outdated or unpatched browser is considered 2 stable versions behind the latest released version).
  • Any Vulnerability with a CVSS 3.1 score that is lower than 4.0 and can’t be leveraged to achieve a higher score.
  • Vulnerabilities only exploitable on configurations running EOL versions of software, such as PHP, mysql, apache, nginx, openssl
  • Any SQL Injection that requires wp_magic_quotes to be disabled in order to exploit
  • Security issues or vulnerabilities that require local access to the server to exploit
  • Vulnerabilities that can only be exploited by an administrator explicitly granting access to a lower-privileged user
  • Vulnerabilities that require brute force to exploit

We may still assign CVEs to any vulnerabilities discovered in the out of scope list above, however, they will not be eligible for a bounty through our bug bounty program.

Program Rules Key Highlights & Important Things to Know

  • You must be a registered researcher on the Wordfence website, and be authenticated at the time of submission, in order to submit a vulnerability for the Bug Bounty Program.
  • Vulnerabilities that require more than one CVE assignment may only earn a single bounty for the higher awarding CVE (i.e. Cross-Site Request Forgery and Missing Authorization in a single function)
  • Researchers can be banned or throttled from the program if they are continuously submitting low-quality or spammy false positive reports, or appear to be gaming the rules of the program in a harmful fashion.
  • Developers cannot report vulnerabilities in their own software for bounties, though they can submit issues for CVE ID assignments.
  • Wordfence must handle the responsible disclosure process for any reported vulnerabilities, and you must keep the information confidential until we publicly disclose the issue in our database. This means Wordfence must be the only organization you submit the vulnerability to.
  • The first researcher to submit a vulnerability with a valid and working proof of concept will be the only one to receive a bounty in the event of a duplicate report.
  • Bounty payments are processed in bulk on the 1st and 15th of every month.
  • In-Scope submissions are typically triaged within 5-7 business days, with critical issues typically having a much faster turnaround. Out-of-Scope submissions are triaged as time allows.
  • Remember that when you participate in our Bug Bounty program, you are giving back to the security of the WordPress ecosystem. All of the vulnerabilities submitted to us are added to the Wordfence Intelligence vulnerability database which is given back to the community through webhook and API access completely for free. All other WordPress-centric vulnerability databases charge for this level of access.

Pending In-Scope Report Limits

All researchers have a limit to the number of vulnerabilities that can be actively submitted and pending triage at one time for participation in the Bug Bounty Program. The following outlines these pending report limits:

Standard Researchers

30 pending in-scope reports *
5 pending in-scope reports

Resourceful Researchers

45 pending in-scope reports *
15 pending in-scope reports

1337 Researchers

60 pending in-scope reports *
30 pending in-scope reports

* Revised pending in-scope reports allowances apply only for the duration of the current promotional period.

Out-of-scope submissions adequately marked as such upon submission do not count against this limit so you can still request CVEs for anything that would not constitute a bounty under our program.

This allows us to control the flow of submissions to ensure we can sustain reasonable triage times for all of our researchers and everyone has a fair chance at submitting qualifying vulnerabilities.

When do in-scope reports roll over?

As soon as you get the message that a submitted vulnerability is validated, or it has been rejected, that means you have one more open slot to submit a vulnerability. Pro-tip: You will know if you are at your pending report limit by accessing the vulnerability submission form. If you get a notice that you are at your limit then you can not submit any more vulnerabilities for participation in the Bug Bounty Program. If you do not get a notice, then you are all clear to submit another bounty-eligible report.

For a more detailed overview, please read our terms and conditions.

There are various researcher tiers that control what your scope is and how many pending vulnerability submission reports you can have at any given time.

Standard Researchers

Every registered researcher starts out in our standard researcher tier.

This tier allows:

  • up to 30* in scope reports pending triage at any given time
  • all predefined high threat vulnerabilities in WordPress plugins/themes with any number of active installations* to be in scope. See Program Scope for more details on high threat vulnerabilities.
  • all other in-scope vulnerabilities in WordPress plugins/themes with >= 50 active installations* to be eligible.

Resourceful Researchers

These are researchers who have proven they have what it takes to provide significant and meaningful contributions to security of the WordPress ecosystem.

This tier allows:

  • up to 45* in scope reports pending triage at any given time
  • all predefined high threat vulnerabilities in WordPress plugins/themes with any number of active installations* to be in scope. See Program Scope for more details on high threat vulnerabilities.
  • all other in-scope vulnerabilities in WordPress plugins/themes with >= 50 active installations* to be in eligible.

To unlock this tier, you must:

  • submit 1 critical severity in scope vulnerability
  • or 3 high severity in scope vulnerabilities

and:

  • you must not have submitted more than 5 False Positive or Low Quality Reports.

Additional Benefits

  • an exclusive achievement badge added to your profile

1337 Researchers

These are researchers who have demonstrated exceptional and meaningful research in the WordPress ecosystem.

This tier allows:

  • up to 60* in scope reports pending triage at any given time
  • all predefined high threat vulnerabilities in WordPress plugins/themes with any number of active installations* to be in scope. See Program Scope for more details on high threat vulnerabilities.
  • all other in-scope vulnerabilities in WordPress plugins/themes with >= 50 active installations* to be in eligible.

To unlock this tier, you must:

  • submit 5 critical severity in scope vulnerabilities
  • or 10 high severity in scope vulnerabilities

and:

  • submit proof of a certification (OSCP, OSWA, OSWE, OSEP, OSED, eWPTx, eWPT, CISSP, CISM, CISA, GWAPT)
  • or submit 15 high quality valid vulnerabilities in total

and:

  • submit no more than 10 False Positive or Low Quality reports.

Additional Benefits

  • 5% automatic bonus on all eligible submissions
  • an exclusive achievement badge added to your profile

* These active installation thresholds and pending in-scope report limits apply only for the duration of the current promotional period.
Assets with fewer than 1,000 active installations must be hosted in the WordPress.org repository to be considered in-scope.

What are critical or high severity vulnerabilities in our eyes?

Qualifying vulnerabilities are not based on CVSS score, but rather a combination of CVSS scoring and the threat factor (i.e. likelihood of mass exploitation) of the vulnerability. The following outlines vulnerabilities that are critical and high "severity" qualifying vulnerabilities. This list is exhaustive, but exceptions may be made for vulnerabilities on a case by case basis. Please note that these all assume there are no prerequisites to exploit (i.e. settings or user interaction). In order for a vulnerability to qualify, the vulnerable plugin or theme should have >=50,000 active installations.

Critical Severity Examples

  • Unauthenticated Arbitrary File Deletion
  • Unauthenticated Arbitrary File Read
  • Unauthenticated Arbitrary File Upload to Remote Code Execution
  • Unauthenticated Remote Code Execution
  • Unauthenticated Privilege Escalation
  • Unauthenticated SQL Injection
  • Unauthenticated Stored Cross-Site Scripting
  • Missing Authorization to Unauthenticated Data Alteration or Read in a Critical Way
  • Authentication Bypass to Admin

High Severity Examples

  • Authenticated (Subscriber/Customer) Remote Code Execution
  • Authenticated (Subscriber/Customer) Arbitrary File Upload to Remote Code Execution
  • Authenticated (Subscriber/Customer) Arbitrary File Deletion
  • Authenticated (Subscriber/Customer) Arbitrary File Read
  • Authenticated (Subscriber/Customer) Privilege Escalation to Admin
  • Authenticated (Subscriber/Customer) SQL Injection
  • Authenticated (Subscriber/Customer) Stored Cross-Site Scripting
  • Missing Authorization to Authenticated (Subscriber/Customer) Data Alteration or Read in a Critical Way

Our goal with the Wordfence Bug Bounty Program is to get the most impactful and harder to find vulnerabilities remediated before threat actors can find and exploit them as an 0-day. This means we award the highest bounty rewards for things like authentication bypasses, privilege escalation, arbitrary file uploads, and arbitrary options updates while easier to find vulnerabilities like Cross-Site Scripting, or less likely to be exploited vulnerabilities, like vulnerabilities that require contributor-level access or user interaction to exploit, are awarded far less. We hope this encourages researchers to spend more time focusing on harder to find critical issues that greatly increase the overall security of the WordPress ecosystem.

All bounty rewards are based on how many active installations the vulnerable piece of software has, the type of vulnerability being reported, the authentication requirements to exploit the vulnerability, the impact of the vulnerability, and what, if any, prerequisites to exploit.

Our rewards go all the way up to $31,200 for standard researchers, and $32,760 for 1337 Researchers. Use our bounty estimator to get an idea of what bounties you may be awarded for different vulnerability types:

Please note that the bounty estimator provides an estimated reward amount only and is subject to change at any time. Any estimate provided by the bounty estimator is not a guarantee of a specific reward amount. Many factors can impact the bounties we award such as:

  • Prerequisites to exploit, such as software settings or specific server configuration
  • Ease and replicability of exploitation (i.e. if the vulnerability can be automatically exploited across various environments)
  • Active user interaction, or unlikely passive user interaction, as a requirement to exploit
  • The impact the vulnerabilities has on the site as a whole (i.e. to what extent does the vulnerability impact the CIA of the site).
  • Dependency on another vulnerability not present in the same vulnerable piece of software. Typically the payout is divided by at least half.

Other important things to consider with the bounties we typically award:

  • PHP Object Injection will be awarded at the highest level of impact if a usable gadget is present in the software, or in the current version of WordPress Core, and exploitation of it is demonstrated in the submitted report. Otherwise, PHP Object Injection is awarded at a lower rate to account for the fact that no usable gadget means no real impact.
  • The ‘Basic Information Disclosure’ type is often used when information is exposed to unauthorized users, but the information is not incredibly sensitive (i.e. email disclosure, log file exposure, phpinfo access, etc.)
  • For premium plugins and themes without public active installation counts, we defer to number of sales as a 1-to-1 count of active installations. This means that if a plugin has 150,000 sales then we would consider that 150,000 active installations. If no sales information is available, we use an internal metric to ballpark estimate active installation counts.
  • If there is a premium version of a free plugin or theme where the premium version of the software is in an in-scope installation range, we may consider the premium version of the software in-scope based on the free plugin's install count. However, the reward will be based on the premium version of the plugin or theme's installation counts.

Bounty Bonuses

In addition to our bounties, we offer bonuses for exceptional, well documented, and unique researchers. Please find all of the additional bonuses we may award listed below:

Proof of Active Exploitation on an 0-day?
15%

If you are able to supply sufficient evidence that a vulnerability is being actively exploited, without a patch in place, and we can corroborate that evidence, you may receive this multiplier.

Chaining Master!
15%

If you are able to successfully chain multiple vulnerabilities together in a single piece of software to achieve a higher impact vulnerability, such as privilege escalation to admin, you may receive this multiplier.

Creative Vulnerability Finder
10%

If you find a new technique or vulnerability type that hasn’t received much coverage, you may receive this multiplier.

Meaningful Researcher
10%

If you submit a vulnerability report with ample documentation and an easy to use proof of concept to verify the vulnerability, you may receive this multiplier.

1337 Wordfence Vulnerability Researcher Program Bonus
5%

Once you earn 1337 Wordfence Vulnerability Researcher status, you are automatically eligible to receive this bonus on all vulnerabilities found and reported to the Wordfence bug bounty program.

Affects Multiple Assets?
Varies

If you submit a vulnerability that affects multiple pieces of software (i.e. the same code is present in multiple pieces of software) and you detail all the software, you may receive a multiplier of +10% for every 10 pieces of software affected.

This may be limited to 100 affected software pieces. A researcher is only eligible for this bonus if they have documented all affected software and versions in their report.

Affects Multiple Functions?
Varies

If you submit a vulnerability type that affects multiple functions (i.e. the vulnerability type is present in multiple functions or pieces of functionality) and you detail all the functions, widgets, and/or functionality you may receive a multiplier of +20% for each of the first 5 functions or widgets affected, +10% for every 5 functions affected from 6 to 20, and then +5% for every 5 functions affected from 21-50.

This may be limited to 50 affected functions. A researcher is only eligible for this bonus if they have documented all affected functions adequately in their report.

The Achievement Badges for the Wordfence Bug Bounty Program are designed to recognize the contributions and skills of participants in enhancing the security of the WordPress open-source community. Through a system of badges named "Achievements," individuals are rewarded for their expertise, perseverance, and collaborative efforts in making the WordPress environment safer. These badges signify not only personal growth and discovery but also professional development, as they are displayed on the researcher's profile, enhancing their reputation and providing clear milestones in their bug-hunting career.

This initiative encourages both seasoned and novice security researchers to engage actively, pursue continual improvement, and gain acknowledgment within the open-source ecosystem, with the promise of expanding the badge offerings in the future to further incentivize and track progress in contributing to a more secure open-source community.

Submitted XSS Vulnerability

This achievement is awarded to individuals who have submitted at least one valid Cross-Site Scripting (XSS) vulnerability to the bug bounty program. Please note, in order for a researcher to earn this badge the vulnerability must be submitted directly to Wordfence and must have a registered researcher account at the time of submission.

WordPress Superhero

This achievement is awarded to individuals who have submitted at least one critical or high severity vulnerability in a plugin or theme with over 5,000,000 Active Installations to the Wordfence Bug Bounty Program.

Resourceful Researcher

This achievement is exclusively for researchers who earn the Resourceful Researcher status. These individuals have demonstrated significant and meaningful research in the WordPress Security space.

1337 Vulnerability Researcher

This achievement is exclusively for researchers who earn 1337 Wordfence Vulnerability Researcher status. These individuals have demonstrated exceptional and meaningful research in the WordPress Security space.

Submitted 1 Vulnerability

This achievement is awarded to individuals who have submitted at least one valid vulnerability to the bug bounty program. Please note, in order for a researcher to earn this badge the vulnerability must be submitted directly to Wordfence and must have a registered researcher account at the time of submission.

Submitted 5 Vulnerabilities

This achievement is awarded to individuals who have submitted at least five valid vulnerabilities to the bug bounty program. Please note, in order for a researcher to earn this badge the vulnerability must be submitted directly to Wordfence and must have a registered researcher account at the time of submission.

Submitted 10 Vulnerabilities

This achievement is awarded to individuals who have submitted at least ten valid vulnerabilities to the bug bounty program. Please note, in order for a researcher to earn this badge the vulnerability must be submitted directly to Wordfence and must have a registered researcher account at the time of submission.

Submitted 25 Vulnerabilities

This achievement is awarded to individuals who have submitted at least twenty five valid vulnerabilities to the bug bounty program. Please note, in order for a researcher to earn this badge the vulnerability must be submitted directly to Wordfence and must have a registered researcher account at the time of submission.

Submitted 50 Vulnerabilities

This achievement is awarded to individuals who have submitted at least fifty valid vulnerabilities to the bug bounty program. Please note, in order for a researcher to earn this badge the vulnerability must be submitted directly to Wordfence and must have a registered researcher account at the time of submission.

Submitted 75 Vulnerabilities

This achievement is awarded to individuals who have submitted at least seventy five valid vulnerabilities to the bug bounty program. Please note, in order for a researcher to earn this badge the vulnerability must be submitted directly to Wordfence and must have a registered researcher account at the time of submission.

Submitted 100 Vulnerabilities

This achievement is awarded to individuals who have submitted at least one hundred valid vulnerabilities to the bug bounty program. Please note, in order for a researcher to earn this badge the vulnerability must be submitted directly to Wordfence and must have a registered researcher account at the time of submission.

Submitted 200 Vulnerabilities

This achievement is awarded to individuals who have submitted at least two hundred valid vulnerabilities to the bug bounty program. Please note, in order for a researcher to earn this badge the vulnerability must be submitted directly to Wordfence and must have a registered researcher account at the time of submission.

Submitted 300 Vulnerabilities

This achievement is awarded to individuals who have submitted at least three hundred valid vulnerabilities to the bug bounty program. Please note, in order for a researcher to earn this badge the vulnerability must be submitted directly to Wordfence and must have a registered researcher account at the time of submission.

Submitted 400 Vulnerabilities

This achievement is awarded to individuals who have submitted at least four hundred valid vulnerabilities to the bug bounty program. Please note, in order for a researcher to earn this badge the vulnerability must be submitted directly to Wordfence and must have a registered researcher account at the time of submission.

Submitted 500 Vulnerabilities

This achievement is awarded to individuals who have submitted at least five hundred valid vulnerabilities to the bug bounty program. Please note, in order for a researcher to earn this badge the vulnerability must be submitted directly to Wordfence and must have a registered researcher account at the time of submission.

Submitted 750 Vulnerabilities

This achievement is awarded to individuals who have submitted at least seven hundred and fifty valid vulnerabilities to the bug bounty program. Please note, in order for a researcher to earn this badge the vulnerability must be submitted directly to Wordfence and must have a registered researcher account at the time of submission.

Wordfence Vulnerability Researcher

This achievement is exclusively for employees and contractors of Wordfence. The only way to earn this achievement is to be an employee of Wordfence, or a contractor working with Wordfence, and discover at least one vulnerability.

Standard researchers can have 5 vulnerabilities in scope of the Bug Bounty Program pending triage at any given time. Resourceful researchers can have 15 vulnerabilities in scope of the Bug Bounty Program pending at any given time. 1337 researchers can have 30 vulnerabilities in scope of the Bug Bounty Program pending at any given time. This means that once you reach the limit, no further submissions are considered eligible for a bounty until the currently pending vulnerabilities are triaged. Out-of-Scope vulnerabilities submitted correctly do not count against the pending triage limit.
Vulnerabilities are triaged in order of vulnerability impact and number of users affected. The most critical and impactful vulnerabilities will be processed first, with the least impactful being triaged last.
It’s easy to participate in the Bug Bounty Program! Simply sign-up using this form or, if you're already registered on wordfence.com, you can set-up your researcher profile through the researcher dashboard located here. Once you are ready, you can submit a vulnerability using this form. If the vulnerability is in scope of the Bug Bounty Program and submitted via that form, it will automatically be considered for participation in the Bug Bounty Program. Make sure to review all rules and guidelines prior to participating so you know exactly what to expect.
Bounty reward payouts are processed twice a month: once on the first (1st) of the month and once on the fifteenth (15th) of the month. Any bounty accrued during the period before the next reward payout date will be paid in bulk on the day of processing.

If you do not have a PayPal address on file at the time of reward payout processing, you will need to wait until the next reward payout date to receive any accrued bounties.
Currently, all reward payments are sent through PayPal. Please make sure you have a PayPal email address on file here.
If you are already a registered user on wordfence.com, then you can simply log in to your account and navigate to the researcher dashboard where you can then follow the instructions to set up your researcher profile. These details will show up in the Wordfence Intelligence User Interface once you've submitted at least one valid vulnerability that is in production.
There is no maximum amount of bounties you can earn! The opportunities are endless.
Yes, Wordfence reserves the right to ban any user from participating in the Wordfence Intelligence Bug Bounty Program. Common reasons a user may get banned are exceeding the false positive or out-of-scope vulnerability submission allowance, abusing the system by trying to undergo “bulk” automated bounty hunting, and general misconduct.
Absolutely! You can use the same vulnerability submission form, and just make sure to check the box ‘Yes’ for the question ‘Is this an out-of-scope report just for a CVE assignment or submission to the database? If yes, you will not be eligible for a Bug Bounty.’ on the form.
Absolutely! You can use the same vulnerability submission form, and just make sure to check the box ‘Yes’ for the question ‘Is this an out-of-scope report just for a CVE assignment or submission to the database? If yes, you will not be eligible for a Bug Bounty.’ on the form.
We handle the responsible disclosure for all bounty eligible vulnerabilities. You're welcome to handle the repsonsible disclosure process yourself, however, the vulnerability would not be eligible for a bounty and would simply just get a CVE ID assignment. If you would like to handle the responsible disclosure process yourself, make sure to check ‘No’ for the question ‘Would you like Wordfence to handle the responsible disclosure of this vulnerability on your behalf?’ when completing the vulnerability submission form.
If you do not already have an account on wordfence.com, then you should use this researcher registration form that allows you to supply all of your profile details during registration.

If you already have an account on wordfence.com, then you should access your account here.
No, they are excluded. Submitting too many of these vulnerabilities may cause you to get banned or temporarily blocked from participating in the Bug Bounty Program.
No, plugins and themes with existing Bug Bounty Programs are considered out-of-scope for participation in the Bug Bounty Program.
No, developers are not eligible for bounties in their own software. You’re more than welcome to submit the vulnerability to the database, however, you will not be awarded any bounties for the submission.
All WordPress plugins and themes with over 50,000 active installations, and no existing bug bounty program, are considered explicitly in scope for all standard researchers.

For those in our Resourceful Researchers tier, all WordPress plugins and themes with over 15,000 active installations, and no existing bug bounty program, are considered explicitly in scope.

All WordPress plugins and themes with over 1,000 active installations, and no existing bug bounty program, are considered explicitly in scope for all 1337 Researchers.
For premium plugins and themes, we default to using the sales count as the equivalent to active installation. This means that if a plugin has 150,000 sales then we would consider that 150,000 active installations. If no sales information is available, we use an internal metric to ballpark estimate active installation counts.
  1. Stored Cross-Site Scripting
  2. Reflected Cross-Site Scripting
  3. Cross-Site Request Forgery, that has a considerable impact on a site’s security
  4. Missing Authorization, that leads to a considerable impact on a site’s security
  5. Arbitrary Content Deletion
  6. SQL Injection
  7. Insecure Direct Object Reference
  8. Arbitrary File Upload
  9. Arbitrary File Download/Read
  10. Arbitrary File Deletion
  11. Local File Include/Remote File Include
  12. Directory Traversal
  13. Privilege Escalation to Admin
  14. Privilege Escalation to Non-Admin
  15. Authentication Bypass to Admin
  16. Authentication Bypass to Non-Admin
  17. Remote Code Execution/Code Injection
  18. Information Disclosure
  19. Server-Side Request Forgery
  20. PHP Object Injection
  21. Intentional Backdoors Added by Developers that are Accessible by Threat Actors
  • CSV Injection
  • IP Spoofing, where the only impact is integrity
  • Secrets (such as 2FA secrets) that are stored in plaintext in a database that can’t be exploited through another vulnerability in the plugin
  • Web Application Firewall (WAF) Rule Bypasses
  • CSS Injection, where this is not a considerable and demonstrable impact to site’s security
  • HTML Injection, where this is not a considerable and demonstrable impact to site’s security
  • DoS Vulnerabilities, where this is not a considerable and demonstrable impact to site’s security
  • CAPTCHA Bypasses
  • CORS Issues
  • Software containing vulnerable packages or dependencies that are not verifiably exploitable in that plugin or theme
  • Any Vulnerability requiring PR:H to Exploit (Administrator, Editor, and Shop Manager roles fall into this category)
  • Open Redirect
  • TabNabbing
  • Vulnerabilities dependent on successfully exploiting a race condition that is not easily replicable in a common configuration.
  • Cache Poisoning, where this is not a considerable and demonstrable impact to site’s security
  • TOCTOU, where this is not a considerable and demonstrable impact to site’s security
  • Self Cross-Site Scripting
  • Issues that lead to Username Enumeration
  • Theoretical Vulnerabilities
  • Lack of HTTP Headers
  • Clickjacking
  • Cross-Site Request Forgery on unauthenticated forms or on forms with no sensitive actions (examples include disabling a non-critical admin notice)
  • Vulnerabilities that only affect users of outdated or unpatched browsers (An outdated or unpatched browser is considered 2 stable versions behind the latest released version).
  • Any vulnerability with a CVSS 3.1 score that is lower than 4.0 and can’t be leveraged to achieve a higher score.
  • Vulnerabilities only exploitable on configurations running EOL versions of software, such as PHP, mysql, apache, nginx, openssl
  • Any SQL Injection that requires wp_magic_quotes to be disabled in order to exploit
  • Security issues or vulnerabilities that require local access to the server to exploit
  • Vulnerabilities that can only be exploited by an administrator explicitly granting access to a lower-privileged user
  • Vulnerabilities that require brute force to exploit
Once your profile has been approved for the first time, you can manage your payment and reward payout history here. If you chose to use the same email for PayPal and your email address during registration, your email will automatically be there. Otherwise, you can add your preferred PayPal address here. This is also where you will see all of your upcoming rewards and reward payout history once you have approved bounties.

To be considered for "1337 Wordfence Vulnerability Researcher" status, a Researcher must meet and maintain the following requirements.

  • The Researcher must complete at least one of the following:
    • Discover and submit 5 or more Critical Severity, High Impact Vulnerabilities with high quality reports.
    • Discover and submit 10 or more High Severity, High Impact Vulnerabilities with high quality reports.
  • In addition to completing at least one of the following:
    • Discover and submit 15 high quality Vulnerability reports. These reports have very detailed information and an easy to validate proof of concept.
    • Has not submitted more than 10 false positive or out-of-scope Vulnerability reports.
    • Submit proof of approved offensive security certification or other mastery security certification. The following list is exhaustive, and additional qualifying certifications may be added over time: OSCP, OSWA, OSWE, OSEP, OSED, eWPTx, eWPT, CISSP, CISM, CISA.
  • To maintain 1337 Wordfence Vulnerability Researcher credibility, a Researcher must ensure the following is completed each year:
    • Ensure you don't submit more than 10 false positive or Low Quality Vulnerability reports in a 90 day window.
    Additionally, at least one of the following must be completed in the same period:
    • Report at least 5 critical severity Vulnerabilities
    • Report at least 10 high severity Vulnerabilities
    • Report at least 20 medium severity Vulnerabilities

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation