Welcome to the payout hub of our bug bounty program! Here you’ll find the complete details of our bounty payout ranges and bonuses, curated to reflect the importance of your contributions. Your efforts to uncover vulnerabilities in our open source ecosystem are invaluable, and we believe it's essential to reward your hard work appropriately.
The bounty payout is determined by a multitude of factors including the severity of the vulnerability, its likelihood of exploitation, and the potential impact on users. We've divided vulnerabilities into four ranks: Low, Medium, High, and Critical, each with its own payout range. Whether you've unearthed a Cross-Site Request Forgery or exposed an Unauthenticated Remote Code Execution, we've designed our payout structure to reflect the diverse nature of these vulnerabilities.
Please note that our Vulnerability Rank is not solely based on the CVSS score. We also take into account internal metrics to determine how impactful a vulnerability could be to both the site owner and the larger WordPress community. Factors like the likelihood of exploitation, active installation count of affected software, and the likelihood of vulnerability discovery play a crucial role in determining a vulnerability’s payout.
Along with the base bounty, we also offer bonus multipliers, designed to reward the extra mile you go in your quest for bugs. Whether you handle responsible disclosure yourself, provide evidence of active exploitation, or find a new technique, there's a bonus multiplier for you. Plus, once you earn a 1337 Wordfence Vulnerability Researcher status, you are automatically eligible for a bonus on all vulnerabilities found and reported to our program.
Our payout structure is detailed below, along with examples to illustrate potential payouts. Also, we've outlined bonus multipliers and the criteria for earning them.
We believe in recognizing every piece of the puzzle you help solve. Every vulnerability you uncover, every bug you squash, contributes significantly to the integrity of our open source software. As you navigate through this bounty landscape, remember that your efforts are making a difference.
Scroll down to explore the bounty payout ranges, sample payouts, and bonus opportunities. Each bounty you tackle brings us closer to a safer, more secure open source community, and we can't wait to see what you'll uncover next!
The following chart defines the Low/Medium/High/Critical vulnerability payout ranges. Payout amounts will vary for any given vulnerability as we account for the number of potentially impacted users based on active install counts, any prerequisites required to exploit, the severity of the vulnerability, the likelihood of exploitation, and any privileges required to exploit the vulnerability.
The following outlines some sample payouts you could receive based on our impact/severity rating system.
The following outlines some bonuses Wordfence may award select vulnerabilities with as long as the criteria is met.
Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!Learn more
Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.
The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.Documentation