Today, we’re incredibly excited to launch a new challenge for the Wordfence Bug Bounty Program: the WordPress Superhero Challenge! Through October 14th, we’re introducing a new active installation count range for our bounties for plugins and themes with 5,000,000+ active installations and we are tripling our current top bounties for this new range.
This means that our top bounty during the challenge will be $31,200!
We’re calling all leading researchers who are up for the challenge. While all WordPress vulnerability researchers are heroes in our eyes, it often takes a superhero to find a vulnerability in a plugin or theme with over 5,000,000 active installs thanks to the rigorous testing that these products endure prior to entering production. By running this challenge, we want to supercharge the amount of research going into these extremely popular products, thereby improving the security of hundreds of millions of visitors to sites with these products installed.
We are also introducing a new badge for this challenge, the “WordPress Superhero” badge which will be unlocked for any researcher who submits a critical or high severity vulnerability in a plugin or theme with >= 5,000,000 Active Installs. Check it out below:
To spark some inspiration, here is a list of some bounty reward possibilities during the Superhero Challenge:
$31,200 for an Unauthenticated Arbitrary PHP File Upload Vulnerability (where the uploaded file can be executed)
$23,400 if it requires Subscriber-level Authentication to exploit
$3,900 if it requires Contributor/Author-level Authentication to exploit
$31,200 for an Unauthenticated Remote Code Execution Vulnerability
$23,400 if it requires Subscriber-level Authentication to exploit
$3,900 if it requires Contributor/Author-level Authentication to exploit
$31,200 for an Unauthenticated Privilege Escalation to Admin or Authentication Bypass to Admin Vulnerability
$23,400 if it requires Subscriber-level Authentication to exploit
$3,900 if it requires Contributor/Author-level Authentication to exploit
$21,600 for an Unauthenticated Arbitrary File Deletion Vulnerability
$16,200 if it requires Subscriber-level Authentication to exploit
$2,700 if it requires Contributor/Author-level Authentication to exploit
$9,600 for an Unauthenticated Arbitrary File Read Vulnerability
$7,200 if it requires Subscriber-level Authentication to exploit
$1,200 if it requires Contributor/Author-level Authentication to exploit
$9,600 for an Unauthenticated SQL Injection Vulnerability
$7,200 if it requires Subscriber-level Authentication to exploit
$1,200 if it requires Contributor/Author-level Authentication to exploit
$3,840 for an Unauthenticated Stored Cross-Site Scripting Vulnerability
$2,880 if it requires Subscriber-level Authentication to exploit
$480 if it requires Contributor/Author-level Authentication
For more information on all the bounties we award, check out our bounty calculator here.
Wordfence continues to provide more funding for WordPress security research than any other organization. To date, we have awarded over $300,000 in bounties since the Bug Bounty Program launched in November of last year (2023). The vulnerabilities discovered are confidentially disclosed to vendors, who we work with to ensure their products are patched and released before any research is published. We then publish prominent vulnerabilities on our blog to help other security vendors improve their products, and to create awareness in the community about the risks of not updating.
Wordfence also provides a completely free vulnerability database via a web interface along with a webhook integration and an API that are both free to use. While some vendors consider vulnerabilities proprietary, we consider them public property, and to that end we do not charge for our vulnerability database or have any time limits on when a vulnerability is published in the database, other than the responsible disclosure period during which a vendor is fixing their product.
By funding more vulnerability research than any other organization and releasing vulnerabilities to the community in a timely fashion, we further our mission of securing the Web.
If you are a vulnerability researcher, know that the WordPress community is grateful for the important work that you do, and the Wordfence team is proud to join you in fulfilling our mission of securing the Web. If you’re not a researcher yet, get started by learning more and signing up here. Happy hunting!
The post Earn Up to $31,200 Per Vulnerability: Introducing the WordPress Bug Bounty Superhero Challenge! appeared first on Wordfence.