Wordfence Bug Bounty Program — Terms and Conditions
These Wordfence Bug Bounty Program (“Program”) Terms and Conditions (“Terms and
Conditions”), describe the terms and conditions of your participation in the Program and are a binding
agreement between you (the “Researcher”) and Defiant, Inc., a Delaware corporation, and its
officers, directors, employees, agents, licensees, independent contractors, successors, and assigns are
referred to herein collectively as “Company.”
For the purposes of these Terms and Conditions, a “Vulnerability” is any information
submitted through the Wordfence Vulnerability Submission Form.
Researchers ("you", "your") may submit Vulnerabilities of any type for CVE assignment via the Wordfence Vulnerability
Submission Form located at https://www.wordfence.com/threat-intel/vulnerabilities/submit, or our CVE request form located at
https://www.wordfence.com/request-cve/. Independent Researchers do not need to
participate in the Program in order to report Vulnerabilities to Company or request a CVE ID. If you would like
to report a Vulnerability to Company for CVE assignment, or addition to the Wordfence Intelligence
Vulnerability database, please use the Wordfence Vulnerability Submission Form.
To participate in the Program, Researchers must accept and follow these Terms and Conditions. Company
reserves the right to modify the scope, rules, and vulnerability reward payouts at any time. These Terms and
Conditions are incorporated into and made part of the Wordfence Terms of Service by reference. If you do not
agree to these Terms and Conditions, do not submit Vulnerabilities through the Program.
1. Wordfence Bug Bounty Program Rules
The Researcher agrees as follows:
-
Researcher Accounts and General Rules
- To participate in the Program, Researchers must create a Researcher Account and be
authenticated at the time the Researcher submits the Vulnerability. To create a Researcher
Account, please visit: https://www.wordfence.com/threat-intel/researcher-register.
- When you submit a Vulnerability, the Researcher Profile information you provide in connection
with your Researcher Account, including your name, alias, display name, Twitter handle,
Facebook url, LinkedIn url, website address, and biographical information may be displayed
publicly and shared with Company service providers and other Researchers.
- Company must be the only organization a Researcher submits the Vulnerability to, and the
Vulnerability must not be previously disclosed elsewhere, in order to be eligible for Reward
Payment as set forth in the Wordfence Bug Bounty Reward Payment Schedule.
-
You will not publicly disclose any of the Vulnerability’s details until (a) Company has
completed the Responsible Disclosure process set forth at
https://www.wordfence.com/blog/2021/07/youve-found-a-vulnerability-now-what-a-guide-to-responsible-disclosure/
and (b) the CVE has been made public. Company will contact you when these two activities are
complete.
- Vulnerabilities will be considered confidential until they have been published in the
Wordfence Intelligence vulnerability database.
- If you share details of the Vulnerability with a third party while the company is
conducting the responsible disclosure process, you will be given a warning for the first
offense. Additional offenses may result in you being banned from participating in the
program.
-
Eligibility and Reward Payment
- For any submitted Vulnerability to be eligible for Reward Payment, the Vulnerability must be
within the bug bounty program scope outlined in the section titled “Bug Bounty Program Scope”
below, and the Vulnerability must be Validated as set forth in Section 2(b) of the
Wordfence Bug Bounty Program Submission Release.
- Any Vulnerability may be rejected or returned to the Researcher if it is missing complete
details that help validate and confirm the existence of the Vulnerability.
- A Standard Researcher can only have 5 pending Vulnerability submissions open at any given time, unless
they are a Researcher in one of our additional
researcher tiers. 1337 Wordfence Vulnerability Researchers can have 30 pending Vulnerability
submissions open at any given time, and Resourceful Researchers can have 15 pending
Vulnerability submissions open at any given time.
- Vulnerabilities dependent upon one or more additional vulnerabilities to exploit are not
eligible for Reward Payment, unless the vulnerable software and/or the current version of
WordPress Core include(s) all vulnerabilities required to perform a successful exploit.
-
Vulnerabilities that require more than one CVE assignment may not be eligible
for more than one Reward Payment (as set forth and defined in the
Wordfence Bug Bounty Program Submission Release). The Reward
Payment will be awarded for the higher paying CVE’s vulnerability type.
- Example: Missing Authorization vulnerabilities that are also vulnerable to Cross-Site
Request Forgery are only eligible for the missing authorization Reward Payment,
however, the report may receive two CVEs depending on how the two issues were
patched.
- A Vulnerability that affects multiple plugins, themes, libraries, or other software components
with the same vulnerable code will be awarded a Reward Payment for the base rate along with a
multiplier depending on how many components are affected, as set forth in the
Wordfence Bug Bounty Reward Payment Schedule.
- Vulnerabilities that require high-level privileges to exploit (PR:H), such as access to a user
account with the administrator or editor role, may receive a CVE ID, but are not eligible for a
Reward Payment.
- At Company’s sole discretion, Vulnerability submissions may be eligible for bonuses to award
exceptional work.
- In the event of two or more Researchers submitting the same Vulnerability in the same
component, the Researcher who submitted first will be the one eligible to receive Reward
Payment.
- Vulnerabilities that have the same code-base as a previously disclosed Vulnerability that
received Reward Payment will not be awarded any additional Reward Payment.
- Only one critical impact bounty will be awarded to the first submitting researcher for any given vulnerability
type and impact reported and present in the most current version of the affected software,
regardless of any additional pieces of functionality being affected and submitted by additional
researchers. For example, if researcher A submits a Contributor-level Stored Cross-Site
Scripting vulnerability in plugin “ABC” and then three other researchers submit
Contributor-level Stored Cross-Site Scripting vulnerabilities in plugin “ABC” in three different
widgets, only researcher A will be granted a critical impact bounty award. The subsequent researchers
may be awarded a lower impact bounty at Defiant's discretion. However, if one of the other
researchers submits a different type of Stored Cross-Site Scripting, such as Subscriber-level
Stored Cross-Site Scripting, they would be eligible for a critical impact bounty.
- Bypasses to patches in vulnerabilities originally reported through the bug bounty program are
not eligible for additional bounties unless at least 10 versions have been released.
-
Prohibited Acts, Banning, and Restriction
- If we suspect an individual is using automated tools to perform bulk vulnerability discovery,
we reserve the right to restrict the level of Reward Payments that individual is eligible
for.
- Developers may not report Vulnerabilities in their own software.
- Company may terminate, ban, or restrict a Researcher for any reason at the sole discretion of
Company.
- Researchers violating any of these Terms and Conditions may be restricted or banned from the
Program and be unable to submit Vulnerabilities.
-
If a Researcher submits more than 5 false positive, low-quality (for example, simply outputting
the results of a security scanner), or out-of-scope Vulnerabilities over a period of 7 days,
the Researcher’s ability to submit Vulnerabilities will be restricted, as Company’s discretion,
for the next 7 days.
- After 10 false positive, low-quality, or out-of-scope Vulnerability submissions in a
period of one year, the Researcher will be given a warning that they may be permanently
banned from participating in the Program.
- If the Researcher does not comply after being provided a warning, and continues to
submit low-quality reports, they may be permanently banned from participating in the
Program.
- If we suspect a researcher is attempting to game the Bug Bounty Program to bypass current rules
and bounty reward criteria, we may restrict or ban the researcher from being able to
participate in the program. Examples of gaming include a) withholding vulnerability information
from a Vulnerability Submission in attempt to earn an additional bounty by submitting additional
information (i.e. a bypass) in a subsequent new report when the initial reported vulnerability
is suspected to be patched b) working as a team to submit multiple affected components of the
same vulnerability type in a single plugin through different reports to earn a bounty for each
affected component (i.e. widget).
2. Bug Bounty Program Scope
-
Assets Considered In Scope
-
High Threat Vulnerabilities
All WordPress plugins and themes that can be run locally, both free and premium, with >=1,000
active installations are in scope for all researchers for a select list of high threat
vulnerabilities when exploitable by unauthenticated or low-level authenticated (Subscriber) attackers.
These vulnerabilities are exclusively listed here:
- Arbitrary PHP File Upload
- Arbitrary PHP File Read
- Arbitrary PHP File Deletion
- Arbitrary Options Update
- Remote Code Execution
- Authentication Bypass to Admin
- Privilege Escalation to Admin
-
All Remaining In-Scope Vulnerabilities
All WordPress plugins and themes that can be run locally, both free and premium, with
>=50,000 active installations are in scope for all Researchers, with a few exceptions detailed
in the out-of-scope section. If you are a “1337 Wordfence Vulnerability Researcher”
(defined below) all WordPress plugins and themes that can be run locally, both free and premium,
with >=1,000 active installations are in scope, with a few exceptions detailed in the
out-of-scope section. If you are in our “Resourceful Researcher” researcher tier (defined
below) all WordPress plugins and themes that can be run locally, both free and premium, with
>=15,000 active installations are in scope, with a few exceptions detailed in the out-of-scope
section.
-
Assets Considered Out of Scope
- WordPress Core is considered out of scope for the Program, however, we may still assign a CVE
ID to any Vulnerability discovered in core.
-
Each software listed below has a publicly published bug bounty or responsible disclosure program
and is considered out-of-scope. The list may be updated as more bounty programs are discovered.
Please note that any piece of software listed under a competing WordPress Vulnerability
Disclosure Program (VDP), Bug Bounty Program, or vulnerability database is not considered
out-of-scope as long as the vulnerability is reported directly to us and not the competitor.
If you are unsure if you can report a vulnerability to us and potentially earn our bounty
rewards, please contact us.
-
All Facebook Products
-
All Google Products
-
All Brainstorm Force Products
-
WordPress Core
-
All Automattic Products
-
All Siteground Products
-
All Yoast Products
- Plugins or Themes that are closed to downloads or sales are not in scope, unless the closure
reason was due to a Vulnerability the reporting Researcher found and responsibly disclosed, and
the Researcher has adequate proof they were the one who found and reported the issue.
- Any web service associated with a WordPress plugin or theme that is not run locally (such as an
API running on a plugin vendor’s website) is considered out of scope.
-
Vulnerabilities Considered In-Scope
All issues in WordPress Plugins and Themes with a considerable impact to the confidentiality,
integrity, and availability of a WordPress site are considered in scope of this program as long as
they do not require high level permissions (PR:H) to exploit. The following is a list of some
common vulnerabilities that will be accepted.
- Stored Cross-Site Scripting
- Reflected Cross-Site Scripting
- Cross-Site Request Forgery, that has a considerable impact on a site’s security
- Missing Authorization, that leads to a considerable impact on a site’s security
- Arbitrary Content Deletion
- SQL Injection
- Insecure Direct Object Reference
- Arbitrary File Upload
- Arbitrary File Download/Read
- Arbitrary File Deletion
- Local File Include/Remote File Include
- Directory Traversal
- Privilege Escalation to Admin
- Privilege Escalation to Non-Admin
- Authentication Bypass to Admin
- Authentication Bypass to Non-Admin
- Remote Code Execution/Code Injection
- Information Disclosure
- Server-Side Request Forgery
- PHP Object Injection
- Intentional Backdoors Added by Developers that are Accessible by Threat Actors
-
Vulnerabilities Considered Out of Scope
The following is a list of vulnerabilities and issues, explicitly out of scope from the bug bounty
program. Vulnerabilities that have a minimal impact on the security of WordPress sites, or are
unlikely to be successfully exploited in the wild may be considered out of scope for the program.
These issues typically require some form of user interaction that may be challenging to complete,
or do not have a considerable impact on the security of WordPress sites.
- CSV Injection
- IP Spoofing, where the only impact is integrity
- Secrets (such as 2FA secrets) that are stored in plaintext in a database that can’t be
exploited through another Vulnerability in the plugin
- Web Application Firewall (WAF) Rule Bypasses
- CSS Injection, where this is not a considerable and demonstrable impact to site’s security
- HTML Injection, where this is not a considerable and demonstrable impact to site’s security
- DoS Vulnerabilities, where this is not a considerable and demonstrable impact to site’s
security
- CAPTCHA Bypasses
- CORS Issues
- Software containing vulnerable packages or dependencies that are not verifiably exploitable in
that plugin or theme
- Any Vulnerability requiring PR:H to Exploit. Administrator, Editor, and Shop Manager roles,
along with any other role that has the 'unfiltered_html' capability fall into this category.
- Open Redirect
- TabNabbing
- Vulnerabilities dependent on successfully exploiting a race condition that is not easily
replicable in a common configuration.
- Cache Poisoning, where this is not a considerable and demonstrable impact to site’s
security
- TOCTOU, where this is not a considerable and demonstrable impact to site’s security
- Self Cross-Site Scripting
- Issues that lead to Username Enumeration
- Theoretical Vulnerabilities
- Lack of HTTP Headers
- Clickjacking
- Server-Side Request Forgery via DNS Rebinding
- API Key Updates/Overwrites/Reads
- Full Path Disclosure
- Cross-Site Request Forgery on unauthenticated forms or on forms with no sensitive actions
(examples include disabling a non-critical admin notice)
- Vulnerabilities that only affect users of outdated or unpatched browsers (An outdated or
unpatched browser is considered 2 stable versions behind the latest released version).
- Any Vulnerability with a CVSS 3.1 score that is lower than 4.0 and can’t be leveraged to
achieve a higher score.
- Vulnerabilities only exploitable on configurations running EOL versions of software, such as
PHP, mysql, apache, nginx, openssl
- Any SQL Injection that requires wp_magic_quotes to be disabled in order to exploit
- Security issues or vulnerabilities that require local access to the server to exploit
- Vulnerabilities that can only be exploited by an administrator explicitly granting access to a
lower-privileged user
- Vulnerabilities that require brute force to exploit
3. 1337 Wordfence Vulnerability Researcher Program
The 1337 Wordfence Vulnerability Researcher Program is a program designed to incentivize the most
high-quality Researchers contributing to the security of the WordPress ecosystem. Once a Researcher
has demonstrated authenticity and meaningful research, by meeting the outlined criteria, they will be
awarded the “1337 Wordfence Vulnerability Researcher” status that will add a flag to their Researcher
profile and unlock additional capabilities as a WordPress security Researcher, such as the ability to
earn Reward Payments for lower install count software and a bonus on all reported Vulnerabilities.
-
Eligibility for the 1337 Wordfence Vulnerability Researcher Program
To be considered for “1337 Wordfence Vulnerability Researcher” status, a Researcher must meet and
maintain the following requirements.
-
The Researcher must complete at least one of the following:
- Discover and submit 5 or more Critical Severity, High Impact (i.e. plugin/theme with
over 50,000 Active Installations) Vulnerabilities with high quality reports.
Examples of qualifying vulnerabilities include:
- Unauthenticated Remote Code Execution
- Unauthenticated Arbitrary File Upload to Remote Code Execution
- Unauthenticated Stored Cross-Site Scripting
- Unauthenticated SQL Injection
- Missing Authorization to Unauthenticated Data Alteration or Read in a
critical way
- Authentication Bypass to Admin
- Unauthenticated Privilege Escalation
- Unauthenticated Arbitrary File Deletion
- Unauthenticated Arbitrary File Read
- Discover and submit 10 or more High Severity, High Impact (i.e. plugin/theme with
over 50,000 Active Installations) Vulnerabilities with high quality reports.
Examples of qualifying vulnerabilities include:
- Authenticated (Subscriber/Customer) Remote Code Execution
- Authenticated (Subscriber/Customer) Arbitrary File Upload to Remote
Code Execution
- Authenticated (Subscriber/Customer) Stored Cross-Site Scripting
- Authenticated (Subscriber/Customer) SQL Injection
- Missing Authorization to Authenticated (Subscriber/Customer) Data Alteration
or Read in a critical way
- Authenticated (Subscriber/Customer) Privilege Escalation to Admin
- Authenticated (Subscriber/Customer) Arbitrary File Deletion
- Authenticated (Subscriber/Customer) Arbitrary File Read
-
In addition to completing at least one of the following:
- Discover and submit 15 high quality valid Vulnerability reports. These reports have very
detailed information and an easy to validate proof of concept.
- Submit proof of approved offensive security certification or other mastery security
certification. The following list is exhaustive, and additional qualifying
certifications may be added over time: OSCP, OSWA, OSWE, OSEP, OSED, eWPTx, eWPT,
CISSP, CISM, CISA.
-
Additionally, the researcher must not:
- have submitted more than 10 false positive or Low Quality Vulnerability reports in a 90 day window.
-
To maintain 1337 Wordfence Vulnerability Researcher credibility, a Researcher must ensure the
following is completed each year:
- Ensure you don’t submit more than 10 false positive or Low Quality Vulnerability
reports in a 90 day window.
Additionally, at least one of the following must be completed in the same period:
- Report at least 5 critical severity Vulnerabilities
- Report at least 10 high severity Vulnerabilities
- Report at least 20 medium severity Vulnerabilities
A Researcher’s 1337 Wordfence Vulnerability Researcher status may be revoked at any point if Company
suspects the Researcher is abusing the system or at Company’s sole discretion.
-
Benefits of being a “1337 Wordfence Vulnerability Researcher”
- Unlock the ability to submit Vulnerabilities for plugins and themes with lower than the 50k
active install count threshold (but higher than 1k active installations).
- Pending Vulnerability submission limit will be increased from 5 to 30 pending reports at any
given time.
- An achievement badge will be added to your profile indicating that you are a “1337 Wordfence
Vulnerability Researcher,” which is a Researcher trusted by the Wordfence team for authentic
quality Vulnerability research
- Earn a 5% Reward Payment bonus on all accepted Vulnerability submissions
4. Additional Researcher Tiers
At any point Defiant may add, remove, or modify researcher tiers, eligibility, benefits, and capabilities at any time.
Below we have summarized the current researcher tiers and the benefits that you may earn within each.
Resourceful Researcher Tier
To be eligible for the “Resourceful Researcher” tier, a Researcher must meet and maintain the following requirements.
-
Eligibility for the Resourceful Researcher Tier
-
The Researcher must complete at least one of the following:
-
Discover and submit at least one critical severity vulnerability in a plugin or theme
with >= 50,000 Active Installations. Examples include:
- Unauthenticated Remote Code Execution
- Unauthenticated Arbitrary File Upload to Remote Code Execution
- Unauthenticated Stored Cross-Site Scripting
- Unauthenticated SQL Injection
- Missing Authorization to Unauthenticated Data Alteration or Read in a
critical way
- Authentication Bypass to Admin
- Unauthenticated Privilege Escalation
- Unauthenticated Arbitrary File Deletion
- Unauthenticated Arbitrary File Read
-
Discover and submit at least three high severity vulnerabilities in plugins or themes
with >= 50,000 Active Installations. Examples include:
- Authenticated (Subscriber/Customer) Remote Code Execution
- Authenticated (Subscriber/Customer) Arbitrary File Upload to Remote
Code Execution
- Authenticated (Subscriber/Customer) Stored Cross-Site Scripting
- Authenticated (Subscriber/Customer) SQL Injection
- Missing Authorization to Authenticated (Subscriber/Customer) Data Alteration or
Read in a critical way
- Authenticated (Subscriber/Customer) Privilege Escalation to Admin
- Authenticated (Subscriber/Customer) Arbitrary File Deletion
- Authenticated (Subscriber/Customer) Arbitrary File Read
-
In addition to completing the following:
- Has not submitted more than 5 False Positive or Low Quality Reports in a 90 day window
-
Benefits of the “Resourceful Researcher” Tier
- Unlock the ability to submit vulnerabilities for bounty rewards in plugins and themes with
15k-50k active installations.
- Pending Vulnerability submission limit will be increased from 5 to 15 pending reports at
any given time.
- An achievement badge will be added to your profile indicating that you are a “Resourceful Researcher,”
which is a Researcher that has proven their ability to find vulnerabilities that very
positively impact the security of the WordPress ecosystem.
A Researcher’s Tier may be revoked at any point if Company suspects the Researcher is abusing the system or
at Company’s sole discretion.
Company reserves the right to grant these tiers at any point, even if the researcher has not met the
specified criteria.