Wordfence Bug Bounty Program — Terms and Conditions

These Wordfence Bug Bounty Program (“Program”) Terms and Conditions (“Terms and Conditions”), describe the terms and conditions of your participation in the Program and are a binding agreement between you (the “Researcher”) and Defiant, Inc., a Delaware corporation, and its officers, directors, employees, agents, licensees, independent contractors, successors, and assigns are referred to herein collectively as “Company.”

For the purposes of these Terms and Conditions, a “Vulnerability” is any information submitted through the Wordfence Vulnerability Submission Form.

Researchers ("you", "your") may submit Vulnerabilities of any type for CVE assignment via the Wordfence Vulnerability Submission Form located at https://www.wordfence.com/threat-intel/vulnerabilities/submit, or our CVE request form located at https://www.wordfence.com/request-cve/. Independent Researchers do not need to participate in the Program in order to report Vulnerabilities to Company or request a CVE ID. If you would like to report a Vulnerability to Company for CVE assignment, or addition to the Wordfence Intelligence Vulnerability database, please use the Wordfence Vulnerability Submission Form.

To participate in the Program, Researchers must accept and follow these Terms and Conditions. Company reserves the right to modify the scope, rules, and vulnerability reward payouts at any time. These Terms and Conditions are incorporated into and made part of the Wordfence Terms of Service by reference. If you do not agree to these Terms and Conditions, do not submit Vulnerabilities through the Program.

1. Wordfence Bug Bounty Program Rules

The Researcher agrees as follows:

Researcher Accounts and General Rules
1. To participate in the Program, Researchers must create a Researcher Account and be authenticated at the time the Researcher submits the Vulnerability. To create a Researcher Account, please visit: https://www.wordfence.com/threat-intel/researcher-register.
2. When you submit a Vulnerability, the Researcher Profile information you provide in connection with your Researcher Account, including your name, alias, display name, Twitter handle, Facebook url, LinkedIn url, website address, and biographical information may be displayed publically and shared with Company service providers and other Researchers.
3. Company must be the only organization a Researcher submits the Vulnerability to, and the Vulnerability must not be previously disclosed elsewhere, in order to be eligible for Reward Payment as set forth in the Wordfence Bug Bounty Reward Payment Schedule.
4. You will not publicly disclose any of the Vulnerability’s details until (a) Company has completed the Responsible Disclosure process set forth at https://www.wordfence.com/blog/2021/07/youve-found-a-vulnerability-now-what-a-guide-to-responsible-disclosure/ and (b) the CVE has been made public. Company will contact you when these two activities are complete.
  1. Vulnerabilities will be considered confidential until they have been published in the Wordfence Intelligence vulnerability database.
  2. If you share details of the Vulnerability with a third party while the company is conducting the responsible disclosure process, you will be given a warning for the first offense. Additional offenses may result in you being banned from participating in the program.
Eligibility and Reward Payment
1. For any submitted Vulnerability to be eligible for Reward Payment, the Vulnerability must be within the bug bounty program scope outlined in the section titled “Bug Bounty Program Scope” below, and the Vulnerability must be Validated as set forth in Section 2(b) of the Wordfence Bug Bounty Program Submission Release.
2. Any Vulnerability may be rejected or returned to the Researcher if it is missing complete details that help validate and confirm the existence of the Vulnerability.
3. A Researcher can only have 5 pending Vulnerability submissions open at any given time, unless they are a 1337 Wordfence Vulnerability Researcher. 1337 Wordfence Vulnerability Researchers can have 30 pending Vulnerability submissions open at any given time.
4. Vulnerabilities dependent upon one or more additional vulnerabilities to exploit are not eligible for Reward Payment, unless the vulnerable software and/or the current version of WordPress Core include(s) all vulnerabilities required to perform a successful exploit.
5. Vulnerabilities that require more than one CVE assignment may not be eligible for more than one Reward Payment (as set forth and defined in the Wordfence Bug Bounty Program Submission Release). The Reward Payment will be awarded for the higher paying CVE’s vulnerability type.
  1. Example: Missing Authorization vulnerabilities that are also vulnerable to Cross-Site Request Forgery are only eligible for the missing authorization Reward Payment, however, the report may receive two CVEs depending on how the two issues were patched.
6. A Vulnerability that affects multiple plugins, themes, libraries, or other software components with the same vulnerable code will be awarded a Reward Payment for the base rate along with a multiplier depending on how many components are affected, as set forth in the Wordfence Bug Bounty Reward Payment Schedule.
7. Vulnerabilities that require high-level privileges to exploit (PR:H), such as access to a user account with the administrator or editor role, may receive a CVE ID, but are not eligible for a Reward Payment.
8. At Company’s sole discretion, Vulnerability submissions may be eligible for bonuses to award exceptional work.
9. In the event of two or more Researchers submitting the same Vulnerability in the same component, the Researcher who submitted first will be the one eligible to receive Reward Payment.
10. Vulnerabilities that have the same code-base as a previously disclosed Vulnerability that received Reward Payment will not be awarded any additional Reward Payment.
11. Only one bounty will be awarded to the first submitting researcher for any given vulnerability type and impact reported and present in the most current version of the affected software, regardless of any additional pieces of functionality being affected and submitted by additional researchers. For example, if researcher A submits a Contributor-level Stored Cross-Site Scripting vulnerability in plugin “ABC” and then three other researchers submit Contributor-level Stored Cross-Site Scripting vulnerabilities in plugin “ABC” in three different widgets, only researcher A will be granted a bounty award. However, if one of the other researchers submits a different type of Stored Cross-Site Scripting, such as Subscriber-level Stored Cross-Site Scripting, they would be eligible for a bounty.
12. Bypasses to patches in vulnerabilities originally reported through the bug bounty program are not eligible for additional bounties unless at least 10 versions have been released.
Prohibited Acts, Banning, and Restriction
1. If we suspect an individual is using automated tools to perform bulk vulnerability discovery, we reserve the right to restrict the level of Reward Payments that individual is eligible for.
2. Developers may not report Vulnerabilities in their own software.
3. Company may terminate, ban, or restrict a Researcher for any reason at the sole discretion of Company.
4. Researchers violating any of these Terms and Conditions may be restricted or banned from the Program and be unable to submit Vulnerabilities.
5. If a Researcher submits more than 5 false positive, low-quality (for example, simply outputting the results of a security scanner), or out-of-scope Vulnerabilities over a period of 7 days, the Researcher’s ability to submit Vulnerabilities will be restricted, as Company’s discretion, for the next 7 days.
  1. After 10 false positive, low-quality, or out-of-scope Vulnerability submissions in a period of one year, the Researcher will be given a warning that they may be permanently banned from participating in the Program.
  2. If the Researcher does not comply after being provided a warning, and continues to submit low-quality reports, they may be permanently banned from participating in the Program.
6. If we suspect a researcher is attempting to game the Bug Bounty Program to bypass current rules and bounty reward criteria, we may restrict or ban the researcher from being able to participate in the program. Examples of gaming include a) withholding vulnerability information from a Vulnerability Submission in attempt to earn an additional bounty by submitting additional information (i.e. a bypass) in a subsequent new report when the initial reported vulnerability is suspected to be patched b) working as a team to submit multiple affected components of the same vulnerability type in a single plugin through different reports to earn a bounty for each affected component (i.e. widget).

2. Bug Bounty Program Scope

Assets Considered In Scope

All WordPress plugins and themes that can be run locally, both free and premium, with >50,000 active installations are in scope for all Researchers, with a few exceptions detailed in the out-of-scope section. If you are a “1337 Wordfence Vulnerability Researcher” (defined below) all WordPress plugins and themes that can be run locally, both free and premium, with greater than 1,000 active installations are in scope, with a few exceptions detailed in the out-of-scope section.
Assets Considered Out of Scope
1. WordPress Core is considered out of scope for the Program, however, we may still assign a CVE ID to any Vulnerability discovered in core.
2. Each software listed below has a publicly published bug bounty or responsible disclosure program and is considered out-of-scope. The list may be updated as more bounty programs are discovered. Please note that any piece of software listed under a competing WordPress Vulnerability Disclosure Program (VDP), Bug Bounty Program, or vulnerability database is not considered out-of-scope as long as the vulnerability is reported directly to us and not the competitor. If you are unsure if you can report a vulnerability to us and potentially earn our bounty rewards, please contact us.
  - All Facebook Products
    - Bug Bounty Program: https://www.facebook.com/whitehat
    - Software: https://profiles.wordpress.org/facebook/
  - All Google Products
    - Bug Bounty Program: https://bughunters.google.com/
    - Software: https://profiles.wordpress.org/google/
  - All Brainstorm Force Products
    - Bug Bounty Program: https://brainstormforce.com/bug-bounty-program/
    - Software: https://profiles.wordpress.org/brainstormforce/
  - WordPress Core
    - Bug Bounty Program: https://hackerone.com/wordpress/
    - Software: https://wordpress.org/
  - All Automattic Products
    - Bug Bounty Program: https://hackerone.com/automattic
    - Software: https://profiles.wordpress.org/automattic/
  - All Siteground Products
    - Bug Bounty Program: https://us.siteground.com/viewtos/responsible_disclosure_policy?scid=4&lang=en
    - Software: https://profiles.wordpress.org/siteground/
3. Plugins or Themes that are closed to downloads or sales are not in scope, unless the closure reason was due to a Vulnerability the reporting Researcher found and responsibly disclosed, and the Researcher has adequate proof they were the one who found and reported the issue.
4. Any web service associated with a WordPress plugin or theme that is not run locally (such as an API running on a plugin vendor’s website) is considered out of scope.
Vulnerabilities Considered In-Scope

All issues in WordPress Plugins and Themes with a considerable impact to the confidentiality, integrity, and availability of a WordPress site are considered in scope of this program as long as they do not require high level permissions (PR:H) to exploit. The following is a list of some common vulnerabilities that will be accepted.
- Stored Cross-Site Scripting
- Reflected Cross-Site Scripting
- Cross-Site Request Forgery, that has a considerable impact on a site’s security
- Missing Authorization, that leads to a considerable impact on a site’s security
- Arbitrary Content Deletion
- SQL Injection
- Insecure Direct Object Reference
- Arbitrary File Upload
- Arbitrary File Download/Read
- Arbitrary File Deletion
- Local File Include/Remote File Include
- Directory Traversal
- Privilege Escalation to Admin
- Privilege Escalation to Non-Admin
- Authentication Bypass to Admin
- Authentication Bypass to Non-Admin
- Remote Code Execution/Code Injection
- Information Disclosure
- Server-Side Request Forgery
- PHP Object Injection
- Intentional Backdoors Added by Developers that are Accessible by Threat Actors
Vulnerabilities Considered Out of Scope

The following is a list of vulnerabilities and issues, explicitly out of scope from the bug bounty program. Vulnerabilities that have a minimal impact on the security of WordPress sites, or are unlikely to be successfully exploited in the wild may be considered out of scope for the program. These issues typically require some form of user interaction that may be challenging to complete, or do not have a considerable impact on the security of WordPress sites.
- CSV Injection
- IP Spoofing, where the only impact is integrity
- Secrets (such as 2FA secrets) that are stored in plaintext in a database that can’t be exploited through another Vulnerability in the plugin
- Web Application Firewall (WAF) Rule Bypasses
- CSS Injection, where this is not a considerable and demonstrable impact to site’s security
- HTML Injection, where this is not a considerable and demonstrable impact to site’s security
- DoS Vulnerabilities, where this is not a considerable and demonstrable impact to site’s security
- CAPTCHA Bypasses
- CORS Issues
- Software containing vulnerable packages or dependencies that are not verifiably exploitable in that plugin or theme
- Any Vulnerability requiring PR:H to Exploit (Administrator, Editor, and Shop Manager roles fall into this category)
- Open Redirect
- TabNabbing
- Vulnerabilities dependent on successfully exploiting a race condition that is not easily replicable in a common configuration.
- Cache Poisoning, where this is not a considerable and demonstrable impact to site’s security
- TOCTOU, where this is not a considerable and demonstrable impact to site’s security
- Self Cross-Site Scripting
- Issues that lead to Username Enumeration
- Theoretical Vulnerabilities
- Lack of HTTP Headers
- Clickjacking
- Cross-Site Request Forgery on unauthenticated forms or on forms with no sensitive actions (examples include disabling a non-critical admin notice)
- Vulnerabilities that only affect users of outdated or unpatched browsers (An outdated or unpatched browser is considered 2 stable versions behind the latest released version).
- Any Vulnerability with a CVSS 3.1 score that is lower than 4.0 and can’t be leveraged to achieve a higher score.
- Vulnerabilities only exploitable on configurations running EOL versions of software, such as PHP, mysql, apache, nginx, openssl
- Any SQL Injection that requires wp_magic_quotes to be disabled in order to exploit
- Security issues or vulnerabilities that require local access to the server to exploit
- Vulnerabilities that can only be exploited by an administrator explicitly granting access to a lower-privileged user
- Vulnerabilities that require brute force to exploit

3. 1337 Wordfence Vulnerability Researcher Program

The 1337 Wordfence Vulnerability Researcher Program is a program designed to incentivize the most high-quality Researchers contributing to the security of the WordPress ecosystem. Once a Researcher has demonstrated authenticity and meaningful research, by meeting the outlined criteria, they will be awarded the “1337 Wordfence Vulnerability Researcher” status that will add a flag to their Researcher profile and unlock additional capabilities as a WordPress security Researcher, such as the ability to earn Reward Payments for lower install count software and a bonus on all reported Vulnerabilities.

Eligibility for the 1337 Wordfence Vulnerability Researcher Program

To be considered for “1337 Wordfence Vulnerability Researcher” status, a Researcher must meet and maintain the following requirements.
1. The Researcher must complete at least one of the following:
  - Discover and submit 5 or more Critical Severity, High Impact Vulnerabilities with high quality reports.
  - Discover and submit 10 or more High Severity, High Impact Vulnerabilities with high quality reports.
2. In addition to completing at least one of the following:
  - Discover and submit 15 high quality Vulnerability reports. These reports have very detailed information and an easy to validate proof of concept.
  - Has not submitted more than 10 false positive or out-of-scope Vulnerability reports.
  - Submit proof of approved offensive security certification or other mastery security certification. The following list is exhaustive, and additional qualifying certifications may be added over time: OSCP, OSWA, OSWE, OSEP, OSED, eWPTx, eWPT, CISSP, CISM, CISA.
3. To maintain 1337 Wordfence Vulnerability Researcher credibility, a Researcher must ensure the following is completed each year:
  - Ensure you don’t submit more than 10 false positive or out-of-scope Vulnerability reports.
  - Report at least 5 critical severity Vulnerabilities
  - Report at least 10 medium severity Vulnerabilities
  - Ensure you don’t submit more than 10 low-quality Vulnerability reports
A Researcher’s 1337 Wordfence Vulnerability Researcher status may be revoked at any point if Company suspects the Researcher is abusing the system or at Company’s sole discretion.
Benefits of being a “1337 Wordfence Vulnerability Researcher”
1. Unlock the ability to submit Vulnerabilities for plugins and themes with lower than the 50k active install count threshold (but higher than 1k active installations).
2. Pending Vulnerability submission limit will be increased from 5 to 30 pending reports at any given time.
3. A flag will be added to your profile indicating that you are a “1337 Wordfence Vulnerability Researcher,” which is a Researcher trusted by the Wordfence team for authentic quality Vulnerability research
4. Earn a 5% Reward Payment bonus on all accepted Vulnerability submissions