Bug Bounty Program — Reward Payment Schedule

Welcome to the payout hub of our bug bounty program! Here you’ll find the complete details of our bounty payout ranges and bonuses, curated to reflect the importance of your contributions. Your efforts to uncover vulnerabilities in our open source ecosystem are invaluable, and we believe it's essential to reward your hard work appropriately.

The bounty payout is determined by a multitude of factors including the severity of the vulnerability, its likelihood of exploitation, and the potential impact on users. We've divided vulnerabilities into four ranks: Low, Medium, High, and Critical, each with its own payout range. Whether you've unearthed a Cross-Site Request Forgery or exposed an Unauthenticated Remote Code Execution, we've designed our payout structure to reflect the diverse nature of these vulnerabilities.

Please note that our Vulnerability Rank is not solely based on the CVSS score. We also take into account internal metrics to determine how impactful a vulnerability could be to both the site owner and the larger WordPress community. Factors like the likelihood of exploitation, active installation count of affected software, and the likelihood of vulnerability discovery play a crucial role in determining a vulnerability’s payout.

Along with the base bounty, we also offer bonus multipliers, designed to reward the extra mile you go in your quest for bugs. Whether you handle responsible disclosure yourself, provide evidence of active exploitation, or find a new technique, there's a bonus multiplier for you. Plus, once you earn a 1337 Wordfence Vulnerability Researcher status, you are automatically eligible for a bonus on all vulnerabilities found and reported to our program.

Our payout structure is detailed below, along with examples to illustrate potential payouts. Also, we've outlined bonus multipliers and the criteria for earning them.

We believe in recognizing every piece of the puzzle you help solve. Every vulnerability you uncover, every bug you squash, contributes significantly to the integrity of our open source software. As you navigate through this bounty landscape, remember that your efforts are making a difference.

Scroll down to explore the bounty payout ranges, sample payouts, and bonus opportunities. Each bounty you tackle brings us closer to a safer, more secure open source community, and we can't wait to see what you'll uncover next!

Bug Bounty Payout Ranges

The following chart defines the Low/Medium/High/Critical vulnerability payout ranges. Payout amounts will vary for any given vulnerability as we account for the number of potentially impacted users based on active install counts, any prerequisites required to exploit, the severity of the vulnerability, the likelihood of exploitation, and any privileges required to exploit the vulnerability.

Low
$0 - $100
$0 - $625 USD

Examples:

  • Cross-Site Request Forgery
  • Reflected Cross-Site Scripting
  • Low Impact Missing Authorization

Medium
$10 - $300
$62.50 - $1,875 USD

Examples:

  • Medium Impact Missing Authorization
  • Authenticated Stored Cross-Site Scripting

High
$20 - $600
$125 - $3,750 USD

Examples:

  • Arbitrary File Deletion
  • Unauthenticated Stored Cross-Site Scripting

Critical
$100 - $1,600
$625 - $10,000 USD

Examples:

  • Unauthenticated Remote Code Execution
  • Unauthenticated Privilege Escalation
  • Authentication Bypass to Administrative User

Important things to note:

  • Vulnerability Rank is not based on CVSS score, but rather internal metrics that determine how impactful a vulnerability would be to both a site owner and the WordPress community at large. Some factors we look at when determining a vulnerability’s payout are CVSS score, likelihood of exploitation, active installation count of affected software, and likelihood of vulnerability discovery.
  • Eligible vulnerabilities may receive a reduced payout if dependent on another vulnerability not present in the same vulnerable piece of software. Typically the payout is divided by at least half.
  • Vulnerable software is limited to one payout per vulnerability classification (i.e. Cross-Site Scripting, Missing Authorization, Cross-Site Request Forgery, etc..) per version, however, there may be a bonus multiplier added.
  • For example, if there are 5 functions vulnerable to Missing Authorization in a WordPress plugin that were all patched in version 2.5.3, you will only receive a single payout for missing authorization, however, you may be eligible for a bonus.

Example Payouts

The following outlines some sample payouts you could receive based on our impact/severity rating system.

An unauthenticated remote code execution vulnerability in a plugin with 5 million active installations, with minimal or no prerequisites to exploitation, may receive a bounty of $1,600 $10,000 USD.
An Authenticated Stored Cross-Site Scripting vulnerability that requires contributor-level permissions to exploit in a plugin with 50,000 installs may receive a bounty of $15 $94 USD.
A Missing Authorization to Settings Change vulnerability that requires subscriber-level permissions to exploit, in a plugin with over 100,000 active installs may receive a bounty of $22 - $90 $138 - $563 USD depending on the impact of the settings that can be manipulated.
An easily exploitable Unauthenticated Stored Cross-Site Scripting vulnerability in a plugin with 500,000 active installations may receive a bounty of $240 $1,500 USD.
A Cross-Site Request Forgery vulnerability that allows arbitrary file deletion, in a plugin with 700,000 installs, may receive a bounty of $90 $563 USD.
A SQL Injection vulnerability that requires admin-level permissions to exploit, in a plugin with over a million installs, may receive a bounty of $0. This is considered an out-of-scope vulnerability.

Bug Bounty Bonuses

The following outlines some bonuses Wordfence may award select vulnerabilities with as long as the criteria is met.

Proof of Active Exploitation on an 0-day?
15%

If you are able to supply sufficient evidence that a vulnerability is being actively exploited, without a patch in place, and we can corroborate that evidence, you may receive this multiplier.

Chaining Master!
15%

If you are able to successfully chain multiple vulnerabilities together in a single piece of software to achieve a higher impact vulnerability, such as privilege escalation to admin, you may receive this multiplier.

Creative Vulnerability Finder
10%

If you find a new technique or vulnerability type that hasn’t received much coverage, you may receive this multiplier.

Meaningful Researcher
10%

If you submit a vulnerability report with ample documentation and an easy to use proof of concept to verify the vulnerability, you may receive this multiplier.

1337 Wordfence Vulnerability Researcher Program Bonus
5%

Once you earn 1337 Wordfence Vulnerability Researcher status, you are automatically eligible to receive this bonus on all vulnerabilities found and reported to the Wordfence bug bounty program.

Affects Multiple Assets?
Varies

If you submit a vulnerability that affects multiple pieces of software (i.e. the same code is present in multiple pieces of software) and you detail all the software, you may receive a multiplier of +10% for every 10 pieces of software affected.

This may be limited to 100 affected software pieces. A researcher is only eligible for this bonus if they have documented all affected software and versions in their report.

Affects Multiple Functions?
Varies

If you submit a vulnerability type that affects multiple functions (i.e. the vulnerability type is present in multiple functions or pieces of functionality) and you detail all the functions, widgets, and/or functionality you may receive a multiplier of +20% for each of the first 5 functions or widgets affected, +10% for every 5 functions affected from 6 to 20, and then +5% for every 5 functions affected from 21-50.

This may be limited to 50 affected functions. A researcher is only eligible for this bonus if they have documented all affected functions adequately in their report.

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation