Last year was a year of growth and refinement for the Wordfence Threat Intelligence team. In December of 2023, we launched our Bug Bounty Program, rewarding security researchers for identifying and reporting in-scope vulnerabilities to further our mission of Securing the Web while contributing to the WordPress community.

In our first year, we received over 5,100 vulnerability submissions, ultimately validating more than 4,400 vulnerabilities after filtering out duplicates and false positives. We also awarded over $450,000 in bounties during 2024 alone.

Every vulnerability submitted undergoes manual testing, documentation, and coordinated disclosure with the vendor. We then make this data freely available through our vulnerability API and webhooks integration, ensuring the entire WordPress ecosystem benefits from the research.

In this article, learn more about the incredible success of the Wordfence Bug Bounty Program, what we’re looking forward to in the future, and how the Wordfence Threat Intelligence team will continue to invest in making the WordPress community and the web a safer place.

Key Takeaways

Celebrating Success & Growth – In its first year, the Wordfence Bug Bounty Program validated over 4,400 vulnerabilities, awarded $450,000 in bounties, and introduced multiple challenge events to incentivize impactful research.
Focusing On Greater Impact For The WordPress Community – Wordfence is shifting towards prioritizing high-risk vulnerabilities over bulk hunting, ensuring meaningful security improvements rather than inflating vulnerability counts – we believe this will have a much more significant impact on the security of the WordPress community.
Expanded Scope and New Bonuses – The program now covers more software categories, and we’re adding new bonuses like the Monthly Bug Detector Streak Bonus and keeping the Superhero Bounties for high impact vulnerabilities (Up to $31,200!).
Investing In New Resources To Help Researchers – We have the best community of researchers in the world, and will continue to invest in helping them earn more: an amazing Discord Community, free educational resources for advancing skills, a referral program for even more earning potential, and an advanced researcher dashboard to keep track of progress.

Refining the Bug Bounty Program

Over the past year, we introduced several promotions such as the 0-day Threat Hunt, Superhero Challenge, Cybersecurity Month Spooktacular Haunt, XSSplorer Challenge, and End of Year Holiday Extravaganza challenges, just to name a few, to determine the best approach for the program. Our key takeaway was that proper incentives lead to higher-impact findings, and more opportunities for beginners leads to higher participation from new researchers that develop into better research.

We also launched many exciting new initiatives like the Researcher Dashboard for researchers to easily manage and track all of their submissions, and our Refer a Researcher program which rewards researchers with money for referring new researchers.

For 2025, we are refining our approach to strike the right balance between encouraging impactful research, minimizing low-risk security noise, and creating opportunities for both new and experienced researchers.

Based on our experience last year, we believe that incentivizing bulk hunting for CVEs and bounties does not best serve the WordPress community due to the nuanced workload it can cause for all levels (researchers, vulnerability triagers, developers, the WordPress.org security team, and more) and distraction from high severity high impact issues. Instead, our focus will be on fostering high-quality research while still providing opportunities for emerging security researchers to grow.

We believe that remediating 20 high-risk vulnerabilities that are likely to be exploited is far more valuable than addressing 200 low-impact vulnerabilities that pose little real-world risk. But with that in mind, it’s also important to provide opportunities for beginners.

Our goal is to ensure that research efforts lead to meaningful security improvements, rather than inflating vulnerability counts.

Key Updates to the Bug Bounty Program in 2025

Monthly Bug Detector Streak Bonus – Encouraging Consistency & Growth

Our Bug Bounty Program attracts some of the best security researchers in the field, but we also want to create a clear pathway for newcomers to gain experience and grow within the WordPress security space.

To support this, we are introducing the Monthly Bug Detector Streak Bonus, which rewards researchers for consistent and high-quality vulnerability submissions.

Each calendar month, researchers can earn bonus rewards based on the quantity and quality of their vulnerability reports. The bonuses are not cumulative and your final reward is determined by the highest tier you reach. For example, if you qualify for a bonus at 10 total submissions, your total streak reward would be $75. We hope that this strikes a balance between providing opportunities for beginners to grow and not creating an influx of low risk vulnerability submissions.

Here is our Bonus Structure Breakdown:

Apprentice Bug Detector (Submissions 1–10)

This level counts both in-scope and out-of-scope vulnerabilities, except those explicitly considered out-of-scope based on their type (e.g., requiring administrative-level access). At this level researchers can earn:

$35 for submitting at least 5 valid vulnerabilities.
$75 for submitting at least 10 valid vulnerabilities.

Trainee Bug Detector (Submissions 11–30)

At this level only in-scope vulnerabilities qualify. Here researchers can earn:

$200 for 20 total valid submissions, with at least 10 in-scope.
$300 for 30 total valid submissions, with at least 20 in-scope.

Professional Bug Detector (Submissions 31+)

Only vulnerabilities from our high-threat list count toward the bonus. At this level, researchers can earn:

$600 for 40 valid submissions, with at least 20 in-scope and 10 from the high-threat list.
$1,000 for 50 valid submissions, with at least 20 in-scope and 20 from the high-threat list.
$1,200 for 60 valid submissions, with at least 20 in-scope and 30 from the high-threat list.

We’ve also added an exciting radar tracker to the researcher dashboard for researchers to track their progress in the current month’s streak, as well as the previous month’s.

By implementing this structured bonus system, we aim to incentivize consistent, high-quality research while providing a clear growth path for security researchers at all levels.

Superhero Challenge – High-Value Bounties up to $31,200

In 2024, we introduced the Superhero Challenge, which offered up to $31,200 for critical vulnerabilities in software with over 5 million active installations.

While no such vulnerabilities were reported to us, demonstrating the security of widely used WordPress plugins and themes, we believe this opportunity remains valuable.

The Superhero Challenge bounties will continue in 2025, offering a substantial bounty for any critical, easily exploitable vulnerability found in software with over 5 million active installations. We will continue to provide industry leading rewards for vulnerability research in WordPress software.

Expanding Scope for High-Risk Research

To further support meaningful security research and provide more opportunities for our researchers, we are increasing our scope in several areas:

High-Threat Issues: Now includes any software with at least 25 active installations, an increase in scope from the previous 1,000 active installation minimum. Please note software with 25-999 active installations must be hosted in the WordPress.org repository to be considered in-scope.

Common & Dangerous Vulnerabilities: A newly introduced category that applies to Stored Cross-Site Scripting and SQL Injection vulnerabilities found in software with 500 or more active installations, an increase in scope from the previous 50,000 active installation minimum. Please note software with 500-999 active installations must be hosted in the WordPress.org repository to be considered in-scope.

1337 Researchers: Expanded to include all software with at least 500 active installations, an increase in scope from the previous 1,000 active installation minimum.

Resourceful Researchers: Now includes all software with 10,000 or more active installations, an increase in scope from the previous 15,000 active installation minimum.

These updates ensure that research efforts are focused on vulnerabilities that have a meaningful impact on WordPress security and provide more opportunities for our researchers.

Easier Path to the Resourceful Researcher Tier

The Resourceful Researcher tier provides expanded scope access, and we have adjusted the requirements to make it more attainable.

Researchers can now unlock this tier by submitting 10 medium-impact, high/critical-severity vulnerabilities.

This change makes it easier for dedicated researchers hunting for critical issues in lower install count software to access broader scope opportunities while maintaining high standards for security impact.

Increasing Pending Report Limits

During the End-of-Year Holiday Extravaganza, we observed that unlimited submissions strained our ability to triage reports efficiently. At the same time, we saw that many researchers quickly reached their pending submission limits.

To address this, we will be slightly increasing pending report limits across the board. This ensures that researchers have greater flexibility while we maintain reasonable triage times for all researchers.

Standard Researchers will have an increase from 5 to 10
Resourceful Researchers will have an increase from 15 to 25
1337 Researchers will have an increase from 30 to 50

Adjustments to Bounty Awards

To align incentives with security impact, we have also made several adjustments to bounty payouts which includes some of the following:

Lowering rewards for vulnerabilities with minimal real-world risk and vulnerabilities that are more commonly found, such as Contributor-level exploits that do not pose a significant threat to most WordPress sites. We hope that by expanding scope for higher severity issues, and reducing payouts for these vulnerability types will direct efforts to more high severity and high impact vulnerability research.
Adjusting bounty ranges based on installation count to ensure awards are proportionate to real-world risk.
Introducing a minimum bounty of $5, ensuring that all valid reports receive a minimum reward.

We hope that these adjustments will help direct research efforts on vulnerabilities that provide the most value to the security of the WordPress ecosystem and allow us to sustain the program long term while offering bounties up to $31,200 for high impact issues. These bounty adjustments will apply to all submissions on March 1st, 2025 and forward.

Looking Ahead

Our mission remains the same: to provide the fastest and most effective vulnerability protection for WordPress through Wordfence while also strengthening the broader ecosystem by:

Providing incentives and opportunities to earn rewards for security research in WordPress which contributes to the open-source WordPress security ecosystem.
Helping vendors patch software efficiently.
Providing educational resources for both vendors and researchers.
Giving back security information to the community that can be used to protect their systems.

These updates reflect our ongoing commitment to supporting high-quality security research, rewarding impactful findings, and creating opportunities for the next generation of security researchers.

We’re excited to see the next wave of groundbreaking research from our bug bounty hunters in 2025! Join us in securing the WordPress ecosystem. Let’s make 2025 the best year yet for WordPress security!

The post Enhancing the Wordfence Bug Bounty Program: New Incentives & a Stronger Focus on High-Impact Research appeared first on Wordfence.

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.