Wordfence Bug Bounty Program — Terms and Conditions
These Wordfence Bug Bounty Program (“Program”) Terms and Conditions (“Terms and
Conditions”), describe the terms and conditions of your participation in the Program and are a binding
agreement between you (the “Researcher”) and Defiant, Inc., a Delaware corporation, and its
officers, directors, employees, agents, licensees, independent contractors, successors, and assigns are
referred to herein collectively as “Company.”
For the purposes of these Terms and Conditions, a “Vulnerability” is any information
submitted through the Wordfence Vulnerability Submission Form.
Researchers may submit Vulnerabilities of any type for CVE assignment via the Wordfence Vulnerability
Submission Form located at https://www.wordfence.com/threat-intel/vulnerabilities/submit, or our CVE request form located at
https://www.wordfence.com/request-cve/. Independent Researchers do not need to
participate in the Program in order to report Vulnerabilities to Company or request a CVE ID. If you would like
to report a Vulnerability to Wordfence for CVE assignment, or addition to the Wordfence Intelligence
Vulnerability database, please use the Wordfence Vulnerability Submission Form.
To participate in the Program, Researchers must accept and follow these Terms and Conditions. Company
reserves the right to modify the scope, rules, and vulnerability reward payouts at any time. These Terms and
Conditions are incorporated into and made part of the Wordfence Terms of Service by reference. If you do not
agree to these Terms and Conditions, do not submit Vulnerabilities through the Program.
1. Wordfence Bug Bounty Program Rules
The Researcher agrees as follows:
Researcher Accounts and General Rules
- To participate in the Program, Researchers must create a Researcher Account and be
authenticated at the time the Researcher submits the Vulnerability. To create a Researcher
Account, please visit: https://www.wordfence.com/threat-intel/researcher-register.
- When you submit a Vulnerability, the Researcher Profile information you provide in connection
with your Researcher Account, including your name, alias, display name, Twitter handle,
Facebook url, LinkedIn url, website address, and biographical information may be displayed
publically and shared with Company service providers and other Researchers.
- Company must be the only organization a Researcher submits the Vulnerability to, and the
Vulnerability must not be previously disclosed elsewhere, in order to be eligible for Reward
Payment as set forth in the Wordfence Bug Bounty Reward Payment Schedule.
If you opt to have Wordfence handle the responsible disclosure process, you will not publicly
disclose any of the Vulnerability’s details until the CVE has been made public, at which point
Wordfence has followed their posted responsible disclosure guidelines and will contact you.
- Vulnerabilities should be considered confidential until they have been published in the
Wordfence Intelligence vulnerability database.
- If details are shared with a third party while in the responsible disclosure period, a
Researcher will be given a warning for the first offense. Additional offenses may
result in the Researcher being banned from participating in the program.
Eligibility and Reward Payment
- For any submitted Vulnerability to be eligible for Reward Payment, it must be within the bug
bounty program scope outlined in the section titled “Bug Bounty Program Scope” below.
- Any Vulnerability may be rejected or returned to the Researcher if it is missing complete
details that help validate and confirm the existence of the Vulnerability.
- A Researcher can only have 5 pending Vulnerability submissions open at any given time, unless
they are a 1337 Wordfence Vulnerability Researcher. 1337 Wordfence Vulnerability Researchers
can have 30 pending Vulnerability submissions open at any given time.
- Vulnerabilities dependent upon one or more additional vulnerabilities to exploit are not
eligible for Reward Payment, unless the vulnerable software and/or the current version of
WordPress Core include(s) all vulnerabilities required to perform a successful exploit.
Vulnerabilities that require more than one CVE assignment may not be eligible
for more than one Reward Payment (as set forth and defined in the
Wordfence Bug Bounty Program Submission Release). The Reward
Payment will be awarded for the higher paying CVE’s vulnerability type.
- Example: Missing Authorization vulnerabilities that are also vulnerable to Cross-Site
Request Forgery are only eligible for the missing authorization Reward Payment,
however, the report may receive two CVEs depending on how the two issues were
- A Vulnerability that affects multiple plugins, themes, libraries, or other software components
with the same vulnerable code will be awarded a Reward Payment for the base rate along with a
multiplier depending on how many components are affected, as set forth in the
Wordfence Bug Bounty Reward Payment Schedule.
- Vulnerabilities that require high-level privileges to exploit (PR:H), such as access to a user
account with the administrator or editor role, may receive a CVE ID, but are not eligible for a
- At Company’s sole discretion, Vulnerability submissions may be eligible for bonuses to award
- In the event of two or more Researchers submitting the same Vulnerability in the same
component, the Researcher who submitted first will be the one eligible to receive Reward
- Vulnerabilities that have the same code-base as a previously disclosed Vulnerability that
received Reward Payment will not be awarded any additional Reward Payment.
- If you are a Researcher that handled responsible disclosure of a Vulnerability, and the plugin
and/or theme was closed for downloads as a result of responsibly disclosing the Vulnerability,
you must report the Vulnerability to us within 48 hours of the plugin or theme closure to be
eligible for Reward Payment, along with submitting proof that you were the Researcher
responsible for reporting the Vulnerability that led to the closure/removal of the
Prohibited Acts, Banning, and Restriction
- If we suspect an individual is using automated tools to perform bulk vulnerability discovery,
we reserve the right to restrict the level of Reward Payments that individual is eligible
- Developers may not report Vulnerabilities in their own software.
- Company may terminate, ban, or restrict a Researcher for any reason at the sole discretion of
- Researchers violating any of these Terms and Conditions may be restricted or banned from the
Program and be unable to submit Vulnerabilities.
- Researchers must adhere to all responsible disclosure policies listed at
If a Researcher submits more than 5 false positive, low-quality (for example, simply outputting
the results of a security scanner), or out-of-scope Vulnerabilities over a period of 7 days,
the Researcher’s ability to submit Vulnerabilities will be restricted, as Company’s discretion,
for the next 7 days.
- After 10 false positive, low-quality, or out-of-scope Vulnerability submissions in a
period of one year, the Researcher will be given a warning that they may be permanently
banned from participating in the Program.
- If the Researcher does not comply after being provided a warning, and continues to
submit low-quality reports, they may be permanently banned from participating in the
2. Bug Bounty Program Scope
Assets Considered In Scope
All WordPress plugins and themes that can be run locally, both free and premium, with >50,000 active
installations are in scope for all Researchers, with a few exceptions detailed in the out-of-scope
section. If you are a “1337 Wordfence Vulnerability Researcher” (defined below) all WordPress
plugins and themes that can be run locally, both free and premium, with greater than 1,000 active
installations are in scope, with a few exceptions detailed in the out-of-scope section.
Assets Considered Out of Scope
- WordPress Core is considered out of scope for the Program, however, we may still assign a CVE
ID to any Vulnerability discovered in core.
Any software that currently has a publicly published bug bounty or responsible disclosure
program. This list is non-exhaustive and may update as more bounty programs are discovered.
All Facebook Products
All Google Products
All Brainstorm Force Products
All Automattic Products
All Siteground Products
- Plugins or Themes that are closed to downloads or sales are not in scope, unless the closure
reason was due to a Vulnerability the reporting Researcher found and responsibly disclosed, and
the Researcher has adequate proof they were the one who found and reported the issue.
- Any web service associated with a WordPress plugin or theme that is not run locally (such as an
API running on a plugin vendor’s website) is considered out of scope.
Vulnerabilities Considered In-Scope
All issues in WordPress Plugins and Themes with a considerable impact to the confidentiality,
integrity, and availability of a WordPress site are considered in scope of this program as long as
they do not require high level permissions (PR:H) to exploit. The following is a list of some
common vulnerabilities that will be accepted.
- Stored Cross-Site Scripting
- Reflected Cross-Site Scripting
- Cross-Site Request Forgery, that has a considerable impact on a site’s security
- Missing Authorization, that leads to a considerable impact on a site’s security
- Arbitrary Content Deletion
- SQL Injection
- Insecure Direct Object Reference
- Arbitrary File Upload
- Arbitrary File Download/Read
- Arbitrary File Deletion
- Local File Include/Remote File Include
- Directory Traversal
- Privilege Escalation to Admin
- Privilege Escalation to Non-Admin
- Authentication Bypass to Admin
- Authentication Bypass to Non-Admin
- Remote Code Execution/Code Injection
- Information Disclosure
- Server-Side Request Forgery
- PHP Object Injection
- Intentional Backdoors Added by Developers that are Accessible by Threat Actors
Vulnerabilities Considered Out of Scope
The following is a list of vulnerabilities and issues, explicitly out of scope from the bug bounty
program. Vulnerabilities that have a minimal impact on the security of WordPress sites, or are
unlikely to be successfully exploited in the wild may be considered out of scope for the program.
These issues typically require some form of user interaction that may be challenging to complete,
or do not have a considerable impact on the security of WordPress sites.
- CSV Injection
- IP Spoofing, where the only impact is integrity
- Secrets (such as 2FA secrets) that are stored in plaintext in a database that can’t be
exploited through another Vulnerability in the plugin
- Web Application Firewall (WAF) Rule Bypasses
- CSS Injection, where this is not a considerable and demonstrable impact to site’s security
- HTML Injection, where this is not a considerable and demonstrable impact to site’s security
- DoS Vulnerabilities, where this is not a considerable and demonstrable impact to site’s
- CAPTCHA Bypasses
- CORS Issues
- Software containing vulnerable packages or dependencies that are not verifiably exploitable in
that plugin or theme
- Any Vulnerability requiring PR:H (Administrator or Editor roles typically fall into this
- Open Redirect
- Vulnerabilities dependent on successfully exploiting a race condition that is not easily
replicable in a common configuration.
- Cache Poisoning, where this is not a considerable and demonstrable impact to site’s
- TOCTOU, where this is not a considerable and demonstrable impact to site’s security
- Self Cross-Site Scripting
- Issues that lead to Username Enumeration
- Theoretical Vulnerabilities
- Lack of HTTP Headers
- Cross-Site Request Forgery on unauthenticated forms or on forms with no sensitive actions
(examples include disabling a non-critical admin notice)
- Vulnerabilities that only affect users of outdated or unpatched browsers (An outdated or
unpatched browser is considered 2 stable versions behind the latest released version).
- Any Vulnerability with a CVSS 3.1 score that is lower than 4.0 and can’t be leveraged to
achieve a higher score.
- Vulnerabilities only exploitable on configurations running EOL versions of software, such as
PHP, mysql, apache, nginx, openssl
3. 1337 Wordfence Vulnerability Researcher Program
The 1337 Wordfence Vulnerability Researcher Program is a program designed to incentivize the most
high-quality Researchers contributing to the security of the WordPress ecosystem. Once a Researcher
has demonstrated authenticity and meaningful research, by meeting the outlined criteria, they will be
awarded the “1337 Wordfence Vulnerability Researcher” status that will add a flag to their Researcher
profile and unlock additional capabilities as a WordPress security Researcher, such as the ability to
earn Reward Payments for lower install count software and a bonus on all reported Vulnerabilities.
Eligibility for the 1337 Wordfence Vulnerability Researcher Program
To be considered for “1337 Wordfence Vulnerability Researcher” status, a Researcher must meet and
maintain the following requirements.
The Researcher must complete at least one of the following:
- Discover and submit 5 or more Critical Severity, High Impact Vulnerabilities with high
- Discover and submit 10 or more High Severity, High Impact Vulnerabilities with high
In addition to completing at least one of the following:
- Discover and submit 15 high quality Vulnerability reports. These reports have very
detailed information and an easy to validate proof of concept.
- Has not submitted more than 10 false positive or out-of-scope Vulnerability reports.
- Submit proof of approved offensive security certification or other mastery security
certification. The following list is exhaustive, and additional qualifying
certifications may be added over time: OSCP, OSWA, OSWE, OSEP, OSED, eWPTx, eWPT,
CISSP, CISM, CISA.
To maintain 1337 Wordfence Vulnerability Researcher credibility, a Researcher must ensure the
following is completed each year:
- Ensure you don’t submit more than 10 false positive or out-of-scope Vulnerability
- Report at least 5 critical severity Vulnerabilities
- Report at least 10 medium severity Vulnerabilities
- Ensure you don’t submit more than 10 low-quality Vulnerability reports
A Researcher’s 1337 Wordfence Vulnerability Researcher status may be revoked at any point if Company
suspects the Researcher is abusing the system or at Company’s sole discretion.
Benefits of being a “1337 Wordfence Vulnerability Researcher”
- Unlock the ability to submit Vulnerabilities for plugins and themes with lower than the 50k
active install count threshold (but higher than 1k active installations).
- Pending Vulnerability submission limit will be increased from 5 to 30 pending reports at any
- A flag will be added to your profile indicating that you are a “1337 Wordfence Vulnerability
Researcher,” which is a Researcher trusted by the Wordfence team for authentic quality
- Earn a 5% Reward Payment bonus on all accepted Vulnerability submissions