Bug Bounty Program — Reward Payment Schedule

Welcome to the payout hub of our bug bounty program! Here you’ll find the complete details of our bounty payout ranges and bonuses, curated to reflect the importance of your contributions. Your efforts to uncover vulnerabilities in our open source ecosystem are invaluable, and we believe it's essential to reward your hard work appropriately.

The bounty payout is determined by a multitude of factors including the severity of the vulnerability, its likelihood of exploitation, and the potential impact on users. We've divided vulnerabilities into four ranks: Low, Medium, High, and Critical, each with its own payout range. Whether you've unearthed a Cross-Site Request Forgery or exposed an Unauthenticated Remote Code Execution, we've designed our payout structure to reflect the diverse nature of these vulnerabilities.

Please note that our Vulnerability Rank is not solely based on the CVSS score. We also take into account internal metrics to determine how impactful a vulnerability could be to both the site owner and the larger WordPress community. Factors like the likelihood of exploitation, active installation count of affected software, and the likelihood of vulnerability discovery play a crucial role in determining a vulnerability’s payout.

Along with the base bounty, we also offer bonus multipliers, designed to reward the extra mile you go in your quest for bugs. Whether you handle responsible disclosure yourself, provide evidence of active exploitation, or find a new technique, there's a bonus multiplier for you. Plus, once you earn a 1337 Wordfence Vulnerability Researcher status, you are automatically eligible for a bonus on all vulnerabilities found and reported to our program.

Our payout structure is detailed below, along with examples to illustrate potential payouts. Also, we've outlined bonus multipliers and the criteria for earning them.

We believe in recognizing every piece of the puzzle you help solve. Every vulnerability you uncover, every bug you squash, contributes significantly to the integrity of our open source software. As you navigate through this bounty landscape, remember that your efforts are making a difference.

Scroll down to explore the bounty payout ranges, sample payouts, and bonus opportunities. Each bounty you tackle brings us closer to a safer, more secure open source community, and we can't wait to see what you'll uncover next!


Bounty Reward Possibilities

Please note that the bounty estimator provides an estimated reward amount only and is subject to change at any time. Any estimate provided by the bounty estimator is not a guarantee of a specific reward amount. Many factors can impact the bounties we award such as:

  • Prerequisites to exploit, such as software settings or specific server configuration
  • Ease and replicability of exploitation (i.e. can the vulnerability be automatically exploited across various environments)
  • Active user interaction, or unlikely passive user interaction, as a requirement to exploit
  • The impact the vulnerabilities has on the site as a whole (i.e. to what extent does the vulnerability impact the CIA of the site).
  • PHP Object Injection will be awarded at the highest level of impact if a usable gadget is present in the software, or in the current version of WordPress Core.

Example Payouts

The following outlines some sample payouts you could receive based on our impact/severity rating system.

An unauthenticated remote code execution vulnerability in a plugin with 5 million active installations, with minimal or no prerequisites to exploitation, may receive a bounty of $1,600 $10,000 USD.
An Authenticated Stored Cross-Site Scripting vulnerability that requires contributor-level permissions to exploit in a plugin with 50,000 installs may receive a bounty of $15 $94 USD.
A Missing Authorization to Settings Change vulnerability that requires subscriber-level permissions to exploit, in a plugin with over 100,000 active installs may receive a bounty of $22 - $90 $138 - $563 USD depending on the impact of the settings that can be manipulated.
An easily exploitable Unauthenticated Stored Cross-Site Scripting vulnerability in a plugin with 500,000 active installations may receive a bounty of $240 $1,500 USD.
A Cross-Site Request Forgery vulnerability that allows arbitrary file deletion, in a plugin with 700,000 installs, may receive a bounty of $90 $563 USD.
A SQL Injection vulnerability that requires admin-level permissions to exploit, in a plugin with over a million installs, may receive a bounty of $0. This is considered an out-of-scope vulnerability.

Bug Bounty Bonuses

The following outlines some bonuses Wordfence may award select vulnerabilities with as long as the criteria is met.

Proof of Active Exploitation on an 0-day?
15%

If you are able to supply sufficient evidence that a vulnerability is being actively exploited, without a patch in place, and we can corroborate that evidence, you may receive this multiplier.

Chaining Master!
15%

If you are able to successfully chain multiple vulnerabilities together in a single piece of software to achieve a higher impact vulnerability, such as privilege escalation to admin, you may receive this multiplier.

Creative Vulnerability Finder
10%

If you find a new technique or vulnerability type that hasn’t received much coverage, you may receive this multiplier.

Meaningful Researcher
10%

If you submit a vulnerability report with ample documentation and an easy to use proof of concept to verify the vulnerability, you may receive this multiplier.

1337 Wordfence Vulnerability Researcher Program Bonus
5%

Once you earn 1337 Wordfence Vulnerability Researcher status, you are automatically eligible to receive this bonus on all vulnerabilities found and reported to the Wordfence bug bounty program.

Affects Multiple Assets?
Varies

If you submit a vulnerability that affects multiple pieces of software (i.e. the same code is present in multiple pieces of software) and you detail all the software, you may receive a multiplier of +10% for every 10 pieces of software affected.

This may be limited to 100 affected software pieces. A researcher is only eligible for this bonus if they have documented all affected software and versions in their report.

Affects Multiple Functions?
Varies

If you submit a vulnerability type that affects multiple functions (i.e. the vulnerability type is present in multiple functions or pieces of functionality) and you detail all the functions, widgets, and/or functionality you may receive a multiplier of +20% for each of the first 5 functions or widgets affected, +10% for every 5 functions affected from 6 to 20, and then +5% for every 5 functions affected from 21-50.

This may be limited to 50 affected functions. A researcher is only eligible for this bonus if they have documented all affected functions adequately in their report.

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation