Wordfence Bug Bounty Program — Terms and Conditions

These Wordfence Bug Bounty Program (“Program”) Terms and Conditions (“Terms and Conditions”), describe the terms and conditions of your participation in the Program and are a binding agreement between you (the “Researcher”) and Defiant, Inc., a Delaware corporation, and its officers, directors, employees, agents, licensees, independent contractors, successors, and assigns are referred to herein collectively as “Company.”

For the purposes of these Terms and Conditions, a “Vulnerability” is any information submitted through the Wordfence Vulnerability Submission Form.

Researchers may submit Vulnerabilities of any type for CVE assignment via the Wordfence Vulnerability Submission Form located at https://www.wordfence.com/threat-intel/vulnerabilities/submit, or our CVE request form located at https://www.wordfence.com/request-cve/. Independent Researchers do not need to participate in the Program in order to report Vulnerabilities to Company or request a CVE ID. If you would like to report a Vulnerability to Wordfence for CVE assignment, or addition to the Wordfence Intelligence Vulnerability database, please use the Wordfence Vulnerability Submission Form.

To participate in the Program, Researchers must accept and follow these Terms and Conditions. Company reserves the right to modify the scope, rules, and vulnerability reward payouts at any time. These Terms and Conditions are incorporated into and made part of the Wordfence Terms of Service by reference. If you do not agree to these Terms and Conditions, do not submit Vulnerabilities through the Program.

1. Wordfence Bug Bounty Program Rules

The Researcher agrees as follows:

1. Researcher Accounts and General Rules

   1. To participate in the Program, Researchers must create a Researcher Account and be authenticated at the time the Researcher submits the Vulnerability. To create a Researcher Account, please visit: https://www.wordfence.com/threat-intel/researcher-register.
   2. When you submit a Vulnerability, the Researcher Profile information you provide in connection with your Researcher Account, including your name, alias, display name, Twitter handle, Facebook url, LinkedIn url, website address, and biographical information may be displayed publically and shared with Company service providers and other Researchers.
   3. Company must be the only organization a Researcher submits the Vulnerability to, and the Vulnerability must not be previously disclosed elsewhere, in order to be eligible for Reward Payment as set forth in the Wordfence Bug Bounty Reward Payment Schedule.
   4. If you opt to have Wordfence handle the responsible disclosure process, you will not publicly disclose any of the Vulnerability’s details until the CVE has been made public, at which point Wordfence has followed their posted responsible disclosure guidelines and will contact you.
      1. Vulnerabilities should be considered confidential until they have been published in the Wordfence Intelligence vulnerability database.
      2. If details are shared with a third party while in the responsible disclosure period, a Researcher will be given a warning for the first offense. Additional offenses may result in the Researcher being banned from participating in the program.

2. Eligibility and Reward Payment

   1. For any submitted Vulnerability to be eligible for Reward Payment, it must be within the bug bounty program scope outlined in the section titled “Bug Bounty Program Scope” below.
   2. Any Vulnerability may be rejected or returned to the Researcher if it is missing complete details that help validate and confirm the existence of the Vulnerability.
   3. A Researcher can only have 5 pending Vulnerability submissions open at any given time, unless they are a 1337 Wordfence Vulnerability Researcher. 1337 Wordfence Vulnerability Researchers can have 30 pending Vulnerability submissions open at any given time.
   4. Vulnerabilities dependent upon one or more additional vulnerabilities to exploit are not eligible for Reward Payment, unless the vulnerable software and/or the current version of WordPress Core include(s) all vulnerabilities required to perform a successful exploit.
   5. Vulnerabilities that require more than one CVE assignment may not be eligible for more than one Reward Payment (as set forth and defined in the Wordfence Bug Bounty Program Submission Release). The Reward Payment will be awarded for the higher paying CVE’s vulnerability type.
      1. Example: Missing Authorization vulnerabilities that are also vulnerable to Cross-Site Request Forgery are only eligible for the missing authorization Reward Payment, however, the report may receive two CVEs depending on how the two issues were patched.
   6. A Vulnerability that affects multiple plugins, themes, libraries, or other software components with the same vulnerable code will be awarded a Reward Payment for the base rate along with a multiplier depending on how many components are affected, as set forth in the Wordfence Bug Bounty Reward Payment Schedule.
   7. Vulnerabilities that require high-level privileges to exploit (PR:H), such as access to a user account with the administrator or editor role, may receive a CVE ID, but are not eligible for a Reward Payment.
   8. At Company’s sole discretion, Vulnerability submissions may be eligible for bonuses to award exceptional work.
   9. In the event of two or more Researchers submitting the same Vulnerability in the same component, the Researcher who submitted first will be the one eligible to receive Reward Payment.
   10. Vulnerabilities that have the same code-base as a previously disclosed Vulnerability that received Reward Payment will not be awarded any additional Reward Payment.
   11. If you are a Researcher that handled responsible disclosure of a Vulnerability, and the plugin and/or theme was closed for downloads as a result of responsibly disclosing the Vulnerability, you must report the Vulnerability to us within 48 hours of the plugin or theme closure to be eligible for Reward Payment, along with submitting proof that you were the Researcher responsible for reporting the Vulnerability that led to the closure/removal of the software.

3. Prohibited Acts, Banning, and Restriction

   1. If we suspect an individual is using automated tools to perform bulk vulnerability discovery, we reserve the right to restrict the level of Reward Payments that individual is eligible for.
   2. Developers may not report Vulnerabilities in their own software.
   3. Company may terminate, ban, or restrict a Researcher for any reason at the sole discretion of Company.
   4. Researchers violating any of these Terms and Conditions may be restricted or banned from the Program and be unable to submit Vulnerabilities.
   5. Researchers must adhere to all responsible disclosure policies listed at https://www.wordfence.com/security
   6. If a Researcher submits more than 5 false positive, low-quality (for example, simply outputting the results of a security scanner), or out-of-scope Vulnerabilities over a period of 7 days, the Researcher’s ability to submit Vulnerabilities will be restricted, as Company’s discretion, for the next 7 days.
      1. After 10 false positive, low-quality, or out-of-scope Vulnerability submissions in a period of one year, the Researcher will be given a warning that they may be permanently banned from participating in the Program.
      2. If the Researcher does not comply after being provided a warning, and continues to submit low-quality reports, they may be permanently banned from participating in the Program.

2. Bug Bounty Program Scope

1. Assets Considered In Scope

   All WordPress plugins and themes that can be run locally, both free and premium, with >50,000 active installations are in scope for all Researchers, with a few exceptions detailed in the out-of-scope section. If you are a “1337 Wordfence Vulnerability Researcher” (defined below) all WordPress plugins and themes that can be run locally, both free and premium, with greater than 1,000 active installations are in scope, with a few exceptions detailed in the out-of-scope section.

2. Assets Considered Out of Scope

   1. WordPress Core is considered out of scope for the Program, however, we may still assign a CVE ID to any Vulnerability discovered in core.
   2. Any software that currently has a publicly published bug bounty or responsible disclosure program. This list is non-exhaustive and may update as more bounty programs are discovered.
      • All Facebook Products
        • Bug Bounty Program: https://www.facebook.com/whitehat
        • Software: https://profiles.wordpress.org/facebook/
      • All Google Products
        • Bug Bounty Program: https://bughunters.google.com/
        • Software: https://profiles.wordpress.org/google/
      • All Brainstorm Force Products
        • Bug Bounty Program: https://brainstormforce.com/bug-bounty-program/
        • Software: https://profiles.wordpress.org/brainstormforce/
      • WordPress Core
        • Bug Bounty Program: https://hackerone.com/wordpress/
        • Software: https://wordpress.org/
      • All Automattic Products
        • Bug Bounty Program: https://hackerone.com/automattic
        • Software: https://profiles.wordpress.org/automattic/
      • All Siteground Products
        • Bug Bounty Program: https://us.siteground.com/viewtos/responsible_disclosure_policy?scid=4&lang=en
        • Software: https://profiles.wordpress.org/siteground/
   3. Plugins or Themes that are closed to downloads or sales are not in scope, unless the closure reason was due to a Vulnerability the reporting Researcher found and responsibly disclosed, and the Researcher has adequate proof they were the one who found and reported the issue.
   4. Any web service associated with a WordPress plugin or theme that is not run locally (such as an API running on a plugin vendor’s website) is considered out of scope.

3. Vulnerabilities Considered In-Scope

   All issues in WordPress Plugins and Themes with a considerable impact to the confidentiality, integrity, and availability of a WordPress site are considered in scope of this program as long as they do not require high level permissions (PR:H) to exploit. The following is a list of some common vulnerabilities that will be accepted.

   • Stored Cross-Site Scripting
   • Reflected Cross-Site Scripting
   • Cross-Site Request Forgery, that has a considerable impact on a site’s security
   • Missing Authorization, that leads to a considerable impact on a site’s security
   • Arbitrary Content Deletion
   • SQL Injection
   • Insecure Direct Object Reference
   • Arbitrary File Upload
   • Arbitrary File Download/Read
   • Arbitrary File Deletion
   • Local File Include/Remote File Include
   • Directory Traversal
   • Privilege Escalation to Admin
   • Privilege Escalation to Non-Admin
   • Authentication Bypass to Admin
   • Authentication Bypass to Non-Admin
   • Remote Code Execution/Code Injection
   • Information Disclosure
   • Server-Side Request Forgery
   • PHP Object Injection
   • Intentional Backdoors Added by Developers that are Accessible by Threat Actors

4. Vulnerabilities Considered Out of Scope

   The following is a list of vulnerabilities and issues, explicitly out of scope from the bug bounty program. Vulnerabilities that have a minimal impact on the security of WordPress sites, or are unlikely to be successfully exploited in the wild may be considered out of scope for the program. These issues typically require some form of user interaction that may be challenging to complete, or do not have a considerable impact on the security of WordPress sites.

   • CSV Injection
   • IP Spoofing, where the only impact is integrity
   • Secrets (such as 2FA secrets) that are stored in plaintext in a database that can’t be exploited through another Vulnerability in the plugin
   • Web Application Firewall (WAF) Rule Bypasses
   • CSS Injection, where this is not a considerable and demonstrable impact to site’s security
   • HTML Injection, where this is not a considerable and demonstrable impact to site’s security
   • DoS Vulnerabilities, where this is not a considerable and demonstrable impact to site’s security
   • CAPTCHA Bypasses
   • CORS Issues
   • Software containing vulnerable packages or dependencies that are not verifiably exploitable in that plugin or theme
   • Any Vulnerability requiring PR:H (Administrator or Editor roles typically fall into this category)
   • Open Redirect
   • TabNabbing
   • Vulnerabilities dependent on successfully exploiting a race condition that is not easily replicable in a common configuration.
   • Cache Poisoning, where this is not a considerable and demonstrable impact to site’s security
   • TOCTOU, where this is not a considerable and demonstrable impact to site’s security
   • Self Cross-Site Scripting
   • Issues that lead to Username Enumeration
   • Theoretical Vulnerabilities
   • Lack of HTTP Headers
   • Clickjacking
   • Cross-Site Request Forgery on unauthenticated forms or on forms with no sensitive actions (examples include disabling a non-critical admin notice)
   • Vulnerabilities that only affect users of outdated or unpatched browsers (An outdated or unpatched browser is considered 2 stable versions behind the latest released version).
   • Any Vulnerability with a CVSS 3.1 score that is lower than 4.0 and can’t be leveraged to achieve a higher score.
   • Vulnerabilities only exploitable on configurations running EOL versions of software, such as PHP, mysql, apache, nginx, openssl

3. 1337 Wordfence Vulnerability Researcher Program

The 1337 Wordfence Vulnerability Researcher Program is a program designed to incentivize the most high-quality Researchers contributing to the security of the WordPress ecosystem. Once a Researcher has demonstrated authenticity and meaningful research, by meeting the outlined criteria, they will be awarded the “1337 Wordfence Vulnerability Researcher” status that will add a flag to their Researcher profile and unlock additional capabilities as a WordPress security Researcher, such as the ability to earn Reward Payments for lower install count software and a bonus on all reported Vulnerabilities.

1. Eligibility for the 1337 Wordfence Vulnerability Researcher Program

   To be considered for “1337 Wordfence Vulnerability Researcher” status, a Researcher must meet and maintain the following requirements.

   1. The Researcher must complete at least one of the following:
      • Discover and submit 5 or more Critical Severity, High Impact Vulnerabilities with high quality reports.
      • Discover and submit 10 or more High Severity, High Impact Vulnerabilities with high quality reports.
   2. In addition to completing at least one of the following:
      • Discover and submit 15 high quality Vulnerability reports. These reports have very detailed information and an easy to validate proof of concept.
      • Has not submitted more than 10 false positive or out-of-scope Vulnerability reports.
      • Submit proof of approved offensive security certification or other mastery security certification. The following list is exhaustive, and additional qualifying certifications may be added over time: OSCP, OSWA, OSWE, OSEP, OSED, eWPTx, eWPT, CISSP, CISM, CISA.
   3. To maintain 1337 Wordfence Vulnerability Researcher credibility, a Researcher must ensure the following is completed each year:
      • Ensure you don’t submit more than 10 false positive or out-of-scope Vulnerability reports.
      • Report at least 5 critical severity Vulnerabilities
      • Report at least 10 medium severity Vulnerabilities
      • Ensure you don’t submit more than 10 low-quality Vulnerability reports

   A Researcher’s 1337 Wordfence Vulnerability Researcher status may be revoked at any point if Company suspects the Researcher is abusing the system or at Company’s sole discretion.

2. Benefits of being a “1337 Wordfence Vulnerability Researcher”

   1. Unlock the ability to submit Vulnerabilities for plugins and themes with lower than the 50k active install count threshold (but higher than 1k active installations).
   2. Pending Vulnerability submission limit will be increased from 5 to 30 pending reports at any given time.
   3. A flag will be added to your profile indicating that you are a “1337 Wordfence Vulnerability Researcher,” which is a Researcher trusted by the Wordfence team for authentic quality Vulnerability research
   4. Earn a 5% Reward Payment bonus on all accepted Vulnerability submissions