Wordfence Bug Bounty Program — Submission Release

I, the "Researcher," am submitting to Company the Wordfence Vulnerability Submission Form (the "Submission"). Defiant, Inc., a Delaware corporation, and its officers, directors, employees, agents, licensees, independent contractors, successors, and assigns are referred to herein collectively as "Company."

I am executing and agree to be bound by these Submission Release ("Agreement") in consideration of Company's receipt of the Submission for possible review and Validation in Company's sole discretion/review.

  1. Submissions. I understand and acknowledge that:

    1. I am voluntarily, knowingly, and intentionally submitting the Submission on an unsolicited basis;
    2. I will comply with the Wordfence Bug Bounty Program Terms and Conditions which are incorporated herein by reference;
    3. this Agreement governs any and all submission of the Submission by any means or medium, whether first submitted or otherwise disclosed to Company contemporaneously with, prior to, or following, execution of this Agreement;
    4. no fiduciary or confidential relationship or obligation of secrecy: (i) now exists between Company and me; or (ii) is intended or established between Company and me by my submission or Company's receipt, review, or use of the Submission;
    5. the Submission may be similar or identical to materials or ideas: (i) to which Company may now have, previously had, or will have access; or (ii) that Company may create, develop, or have created or developed; and
    6. Company's receipt, review, or use of the Submission is not an admission that the Submission is novel or protected or protectable by copyright or other intellectual property law.
  2. Validation and Reward Payment.

    1. To be eligible for Reward Payment:
      1. you must create a Researcher Account, and be authenticated at the time you submit a Submission. To create a Researcher Account, please visit: https://www.wordfence.com/threat-intel/researcher-register. Only registered authenticated Researchers are eligible to receive Reward Payment for Submissions; and
      2. Company must be the party that conducts the Responsible Disclosure process. For avoidance of doubt, you will not be eligible for Reward Payment if you, or a third-party conduct the Responsible Disclosure process.
    2. A Submission shall be deemed "Validated" when Company, at Company's sole discretion, determines the Vulnerability included in the Submission to be in-scope as set forth in Section 1(b) (Eligibility and Reward Payment) of the Wordfence Bug Bounty Program Terms and Conditions. The term "Vulnerability" shall have the meaning set forth in the Wordfence Bug Bounty Program Terms and Conditions.
    3. When a Submission is Validated by Company, Company shall pay Researcher the reward set forth in the then current Wordfence Bug Bounty Reward Payment Schedule ("Reward Payment"). Researcher agrees to accept such Reward Payment as full compensation for the Submission in accordance with the terms and conditions contained in this Agreement. Researchers will be paid out on a bi-monthly schedule to the PayPal details they have submitted to their profile. Researchers who are not registered and authenticated at the time the Researcher submits a Submission shall be deemed to voluntarily submit the Submission under the terms and conditions of this Agreement for no compensation. Submissions that require more than one CVE assignment will not be eligible for more than one Reward Payment.
    4. Company will not be liable to me for its use of any elements of the Submission that any member of the public could freely use. For the avoidance of doubt, Company reserves all rights to use, without any obligation or Reward Payment to me, any elements of the Submission that: (a) are not protected or protectable by US copyright or other US intellectual property law; or (b) are similar or identical to materials that were or are independently created by Company or other persons without reference to or use of the Submission.
  3. Acceptance, Responsible Disclosure, and Publication.

    1. Upon Validation, where the Company will submit the Vulnerability to the developer or vendor of the vulnerable software for acceptance and the developer accepts the Vulnerability, or in the event that the developer or vendor of the vulnerable software is not available to accept or will not accept the Vulnerability, where Company will submit the Vulnerability to: (i) WordPress pursuant to the instructions set forth at: https://developer.wordpress.org/plugins/wordpress-org/plugin-security/reporting-plugin-security-issues/ and WordPress accepts the Vulnerability.; and; or (ii) Envato pursuant to the instruction set forth at: https://www.envato.com/lp/vulnerability-disclosure/. The Vulnerability will be deemed "Accepted" when either the vulnerable software developer or vendor, WordPress, or Envato accepts the Vulnerability submission.
    2. The Company may publish the Vulnerability in the Wordfence Intelligence vulnerability database either: (i) when the Vulnerability is Accepted and patched, (ii) when the Vulnerability is not Accepted within fourteen (14) days of date of the Submission; or (iii) where the developer or vendor is unresponsive.
    3. Prior to Company publicly publishing the vulnerability, Company will not submit any Vulnerability information provided by you to another bug bounty or third-party managed vulnerability disclosure program.
  4. License Grant. Upon Reward Payment, I hereby grant to Company and Company's affiliates and assigns an exclusive, unrestricted, royalty-free, perpetual, irrevocable, freely transferable, and freely sublicensable license to use, reproduce, modify, prepare derivative works of, distribute, copy, perform, and display the Submission, in any form, for any purpose in accordance with the terms and conditions of this Agreement.

  5. Company Obligation. I acknowledge that the only obligation Company undertakes hereunder is to receive the Submission for possible review and to review the Submission if and to the extent Company deems appropriate in its sole discretion. Prior to a Submission being published, Company will not submit any Vulnerability information provided by you to another bug bounty or vulnerability disclosure program. No other obligation or duty of any kind is assumed by or may be implied against Company. Company may, but is not obligated to, return the Submission to me. I have retained a copy of the Submission. Company shall not be liable in any way for any loss of the Submission, irrespective of whether it is lost, misplaced, stolen, or destroyed in transit or while in Company's possession or otherwise.

  6. Researcher Indemnification. Except as this Agreement otherwise provides, I hereby irrevocably and unconditionally release and discharge Company from liability under any and all claims, demands, actions, suits, damages, and expenses of every kind whatsoever, known or unknown in any jurisdiction throughout the world (collectively, "Claims"), that may arise directly or indirectly in relation to the Submission or by reason of any claims now or hereafter made by me that Company has used or appropriated the Submission, except for fraud or willful misconduct on Company's part. I shall indemnify Company from and against all Claims arising in connection with my breach or alleged breach of this Agreement.

  7. Researcher Warranty. I represent and warrant that:

    1. I have the full right, power, and authority to enter into and comply with my obligations under this Agreement;
    2. I am the sole creator, author, and owner of the Submission;
    3. I have the exclusive right to submit the Submission to Company and to grant all right, title, and interest in the Submission, free of all liens, claims, or other encumbrances, and no rights to the Submission have previously been granted to any other person or entity;
    4. the Submission, including any element thereof, and its submission, review, and use, does not infringe, violate, or otherwise conflict with the rights of any other person or entity; and
    5. the Submission is free and clear of any pending or threatened litigation.
  8. General Terms.

    1. This Agreement, and the Wordfence Bug Bounty Program Terms and Conditions, constitutes the sole and entire agreement of Company and me with respect to the subject matter contained herein and supersedes all prior and contemporaneous understandings and agreements, both written and oral, with respect to such subject matter.
    2. Nothing in this Agreement should be construed to create a partnership, joint venture, or employer-employee relationship between Company and me. I am not an agent of Company and am not authorized to make any representation, contract, or commitment on behalf of Company. I will not be entitled to any of the benefits that Company may make available to its employees, such as vacation or sick leave, group insurance, bonuses, profit-sharing, or retirement benefits.
    3. If any term or provision of this Agreement is invalid, illegal, or unenforceable in any jurisdiction, such invalidity, illegality, or unenforceability will not affect any other term or provision of this Agreement, or invalidate or render unenforceable such term or provision, in any other jurisdiction.
    4. I will not assign any of my rights or delegate any of my obligations under this Agreement without Company's prior written consent. Any purported assignment or delegation in violation of this Section 8(d) is null and void. Company may freely assign or otherwise transfer any of its rights or delegate any of its obligations under this Agreement. This Agreement is binding on and will inure to the benefit of Company and me and our respective permitted successors and assigns.
    5. I am not:
      1. a resident of or currently located in any country subject to export control embargo or economic sanctions implemented by any agency of the U.S. or foreign governments;
      2. a person or entity on any of the U.S. Government’s Lists of Parties of Concern ( https://www.bis.doc.gov/index.php/policy-guidance/lists-of-parties-of-concern) or applicable international specially-designated parties or economic sanctions programs; or
      3. otherwise in violation of, and will not cause Company to be in violation of, any export or import laws, regulations or requirements of any United States or foreign agency or authority by entering into this Agreement.
    6. This Agreement will be governed by and construed in accordance with the laws of the State of Washington without reference to its conflict of law provisions. If for any reason a claim proceeds in court rather than in arbitration, you agree to submit to the exclusive jurisdiction and venue in the state and federal courts sitting in King County, Washington, for any and all disputes, claims, and actions arising from or in connection with the Submission or this Agreement.
    7. Any dispute, controversy or claim arising out of or relating to this Agreement or the breach, termination or validity thereof, including the determination of the scope or applicability of the agreement to arbitrate, shall be settled by arbitration in Seattle, Washington administered by the American Arbitration Association in accordance with its Commercial Arbitration Rules then in effect. Judgment upon the arbitration award may be entered, and application for judicial confirmation or enforcement of the arbitration award may be made in any court of competent jurisdiction.
    8. I acknowledge and agree that:
      1. monetary damages are a fully adequate remedy to compensate me for any breach or threatened breach of this Agreement by Company; and
      2. in the event of any dispute, my sole and exclusive remedy is monetary damages. No breach by Company of this Agreement will entitle me to equitable relief, including specific performance, injunctive relief, rescission, or any other form of equitable remedy.
    9. This Agreement may only be amended, modified, or supplemented by an agreement in writing signed by Company and me.

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.