Bug Bounty Program — Reward Payment Schedule

Welcome to the payout hub of our bug bounty program! Here you’ll find the complete details of our bounty payout ranges and bonuses, curated to reflect the importance of your contributions. Your efforts to uncover vulnerabilities in our open source ecosystem are invaluable, and we believe it's essential to reward your hard work appropriately.

The bounty payout is determined by a multitude of factors including the severity of the vulnerability, its likelihood of exploitation, and the potential impact on users. We've divided vulnerabilities into four ranks: Low, Medium, High, and Critical, each with its own payout range. Whether you've unearthed a Cross-Site Request Forgery or exposed an Unauthenticated Remote Code Execution, we've designed our payout structure to reflect the diverse nature of these vulnerabilities.

Please note that our Vulnerability Rank is not solely based on the CVSS score. We also take into account internal metrics to determine how impactful a vulnerability could be to both the site owner and the larger WordPress community. Factors like the likelihood of exploitation, active installation count of affected software, and the likelihood of vulnerability discovery play a crucial role in determining a vulnerability’s payout.

Along with the base bounty, we also offer bonus multipliers, designed to reward the extra mile you go in your quest for bugs. Whether you handle responsible disclosure yourself, provide evidence of active exploitation, or find a new technique, there's a bonus multiplier for you. Plus, once you earn a 1337 Wordfence Vulnerability Researcher status, you are automatically eligible for a bonus on all vulnerabilities found and reported to our program.

Our payout structure is detailed below, along with examples to illustrate potential payouts. Also, we've outlined bonus multipliers and the criteria for earning them.

We believe in recognizing every piece of the puzzle you help solve. Every vulnerability you uncover, every bug you squash, contributes significantly to the integrity of our open source software. As you navigate through this bounty landscape, remember that your efforts are making a difference.

Scroll down to explore the bounty payout ranges, sample payouts, and bonus opportunities. Each bounty you tackle brings us closer to a safer, more secure open source community, and we can't wait to see what you'll uncover next!

Bounty Reward Possibilities

Please note that the bounty estimator provides an estimated reward amount only and is subject to change at any time. Any estimate provided by the bounty estimator is not a guarantee of a specific reward amount. Many factors can impact the bounties we award such as:

• Prerequisites to exploit, such as software settings or specific server configuration
• Ease and replicability of exploitation (i.e. can the vulnerability be automatically exploited across various environments)
• Active user interaction, or unlikely passive user interaction, as a requirement to exploit
• The impact the vulnerabilities has on the site as a whole (i.e. to what extent does the vulnerability impact the CIA of the site).
• PHP Object Injection will be awarded at the highest level of impact if a usable gadget is present in the software, or in the current version of WordPress Core.
• We have a minimum bounty award of $5.

Monthly Bug Detector Streak Bonus

Each calendar month (for example, January 1–31), you can earn a Monthly Bug Detector Streak Bonus based on the quality, diversity, and impact of your vulnerability submissions.

Bonuses are not cumulative. Your reward is determined by the highest bonus tier you qualify for within that month. For example, if you qualify for the $200 tier after submitting 20 vulnerabilities, your total bonus for the month will be $200, not the sum of lower tiers. Vulnerabilities must always be in-scope to count towards increasing the monthly streak bonus.

To encourage high-quality and varied research, certain limits apply to how submissions count toward streak progression. These are outlined below.

Bonus Qualification Structure

Apprentice Bug Detector

(Submissions 1-10 each month)

You may qualify for:

• $35 bonus for at least 5 valid submissions.
• $75 bonus for 10 valid submissions.

Trainee Bug Detector

(Submissions 11-30 each month)

You may qualify for:

• $200 bonus for 20 total valid submissions.
• $300 bonus for 30 total valid submissions.

Professional Bug Detector

(Submissions 31+ each month)

For higher-volume contributors:

• Only vulnerabilities from our High-Threat list count toward increasing your bonus

You may qualify for:

• $600 bonus for 40 valid submissions, with at least:
  • 30 in-scope
  • 10 from the high-threat list.
• $1,000 bonus for 50 valid submissions, with at least:
  • 30 in-scope
  • 20 from the high-threat list.
• $1,200 bonus for 60 valid submissions, with at least:
  • 30 in-scope
  • 30 from the high-threat list.

Additional Quality Safeguards

To promote meaningful and diverse research:

• Out of Scope submissions will not count toward streak progression
• Only 5 vulnerabilities per calendar year will count toward streak bonuses for any unique combination of:
  • Vulnerability type (CWE)
  • Required authentication level

Once this annual limit is reached for a specific CWE + authentication combination, additional submissions of that same type may still be submitted and rewarded normally, but will not increase your Monthly Streak Bonus.

Payout Schedule

Monthly Bug Detector Streak Bonuses are paid on the same schedule as bounty rewards — the 1st and 15th of each month — after review and approval by our team.

Bug Bounty Bonuses

The following outlines some bonuses Wordfence may award select vulnerabilities with as long as the criteria is met.