Earn up to $10,000 for Vulnerabilities in WordPress Software – 6X Rewards in the Wordfence Holiday Bug Extravaganza!

At Wordfence our mission is to Secure The Web. WordPress powers over 40% of the Web, and Wordfence secures over 4 million WordPress websites. Today we are announcing that for the next 20 days, Wordfence will be paying out some of the highest bug bounties in the history of WordPress to help find vulnerabilities in WordPress software that could put users at risk.

As a reminder, we republish these vulnerabilities for free and at no cost for use by vendors, researchers, and anyone else interested, to help secure the WordPress community. That includes free programmatic access via our API. It also includes free use of the data to mass scan WordPress servers for vulnerabilities via Wordfence CLI, which includes completely free vulnerability scanning with no limitations.

In other words, Wordfence is about to pay out a large amount of cash to turn WordPress into a much more secure platform, and we are going to give all that research away for free. We are hoping to pay out at least $100,000 to vulnerability researchers in the next 20 days, and we would like you to help us beat that goal. Let’s find the really bad stuff no one knows about yet, and get WordPress locked down to start 2024 on the right foot!

Here are the details:

It’s the season of giving, and at Wordfence we are all about giving! That’s why we have decided to run a Holiday Bug Extravaganza from today through December 20th, 2023. All researchers will earn 6.25x our normal bounty reward rates for any eligible vulnerabilities submitted as part of the Wordfence Bug Bounty Program. This means researchers can earn up to $10,000 for individual vulnerabilities reported to us in WordPress software that is in-scope for our program.


Get started by signing up as a researcher and submitting a vulnerability today!

Register as a Researcher    Submit Vulnerability


Please note that we have one additional requirement for this extravaganza: Given the high payouts, we require that Wordfence handle the responsible disclosure process for vulnerabilities submitted during the extravaganza, instead of the researcher interacting with the vendor directly. Most researchers prefer this approach and ask us to handle responsible disclosure, because having Wordfence reach out tends to get a faster response. We’ve made this a requirement for the extravaganza so that we can directly work with vendors to validate vulnerabilities. There will be no delay in disclosure and no delay in adding vulnerabilities to our database, workload permitting.

Examples of Bounty Rewards You Can Earn with the current Holiday Extravaganza Bonus: 

  • $1,600 $10,000 for an Unauthenticated Remote Code Execution, Arbitrary File Upload, Privilege Escalation to Admin, Arbitrary Options Update, or Authentication Bypass to Admin in a plugin/theme with 1,000,000+ installs.
    • $1,200 $7,500 if the plugin/theme is within the 500,000 – 999,999 active install count range
    • $600 $3,750 if the plugin/theme is within the 100,000 – 499,999 active install count range
    • $400 $2,625 if the plugin/theme is within the 50,000 – 99,999 active install count range
    • All bounty rewards decrease as authentication requirements increase, and may decrease if the vulnerability is highly complex to exploit or the impact is limited (i.e. non-default setting required).
  • $800 $5,000 for an Unauthenticated SQL Injection or Local File Include in a plugin/theme with 1,000,000+ installs.
    • $600 $3,650 if the plugin/theme is within the 500,000 – 999,999 active install count range
    • $300 $1,875 if the plugin/theme is within the 100,000 – 499,999 active install count range
    • $200 $1,250 if the plugin/theme is within the 50,000 – 99,999 active install count range
    • All bounty rewards decrease as authentication requirements increase, and may decrease if the vulnerability is highly complex to exploit or the impact is limited (i.e. non-default setting required).
  • $320 $2,000 for an Unauthenticated Stored Cross-Site Scripting, Missing Authorization, PHP Object Injection (w/no useable gadget), Information Disclosure, or Server-Side Request Forgery vulnerability in a plugin/theme with 1,000,000+ Installs
    • $240 $1,500 if the plugin/theme is within the 500,000 – 999,999 active install count range
    • $120 $750 if the plugin/theme is within the 100,000 – 499,999 active install count range
    • $80 $500 if the plugin/theme is within the 50,000 – 99,999 active install count range
    • All bounty rewards decrease as authentication requirements increase, and may decrease if the vulnerability is highly complex to exploit or the impact is limited (i.e. non-default setting required).
  • $80 $500 for an Reflected Cross-Site Scripting or Cross-Site Request Forgery vulnerability in a plugin/theme with 1,000,000+ Installs
    • $60 $375 if the plugin/theme is within the 500,000 – 999,999 active install count range
    • $30 $187.50 if the plugin/theme is within the 100,000 – 499,999 active install count range
    • $20 $125 if the plugin/theme is within the 50,000 – 99,999 active install count range
    • All bounty rewards are based a required user interaction component & no authentication, and may decrease if the vulnerability is highly complex to exploit or the impact is limited (i.e. non-default setting required)

How to Participate in the Wordfence Holiday Bug Extravaganza: 

  1. Review our Reward Payout Schedule here, along with our terms and conditions.
  2. Register as a researcher. Please note all profiles are moderated within 72 hours (typically much faster), but you can submit your first vulnerability while waiting for profile approval.
  3. Submit your vulnerability using the vulnerability submission form whenever you are ready.
  4. Kick back, relax, and enjoy that cup of peppermint hot cocoa (or beverage of choice) ☕, while the Wordfence team validates the report, awards you a bounty, and works with the developer to ensure it gets patched.

Please share and forward this with your friends so everyone can take advantage of this incredible extravaganza!

The post Earn up to $10,000 for Vulnerabilities in WordPress Software – 6X Rewards in the Wordfence Holiday Bug Extravaganza! appeared first on Wordfence.

More great articles

WordPress Core 6.2.1 Security & Maintenance Release – What You Need to Know

On May 16, 2023, the WordPress core team released WordPress 6.2.1, which contains patches for 5 vulnerabilities, including a Medium…

Read Story

WordPress Vulnerability & Patch Roundup March 2023

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are…

Read Story

All In One SEO Pack Vulnerabilities Impacting 3 Million Sites Patched

On January 26, 2023, the Wordfence Team responsibly disclosed two vulnerabilities in All In One SEO Pack, a WordPress plugin…

Read Story

Emergency WordPress Help

One of our techs will get back to you within minutes.