Banner object (1)

Hack and Take the Cash !

722 bounties in database
WordPress logo



WordPress __is an open-source publishing platform. Our HackerOne program covers the Core software, as well as a variety of related projects and infrastructure.

Our most critical targets are:

Source code for most websites can be found in the Meta repository (git clone git:// The Meta Environment __will automatically provision a local copy of some sites for you.

For more targets, see the In Scope section below.

Please note that is a separate entity from the main WordPress open source project. Please report vulnerabilities for or the WordPress mobile apps through Automattic's HackerOne page.

Qualifying Vulnerabilities

Any reproducible vulnerability that has a severe effect on the security or privacy of our users is likely to be in scope for the program. Common examples include XSS, CSRF, SSRF, RCE, SQLi, and privilege escalation.

We generally aren’t interested in the following problems:

Responsible Disclosure Guidelines

We're committed to working with security researchers to resolve the vulnerabilities they discover. You can help us by following these simple guidelines:

  • Follow HackerOne's general guidelines __.
  • Make a good faith effort to avoid privacy violations, and destruction or modification of data on live sites. Most of our source code is freely available, so please test against a local development environment whenever possible.
  • Give us a reasonable time to correct the issue before making any information public. We care deeply about security, but as an open-source project, our team is mostly comprised of volunteers. Because WordPress is distributed software rather than a SaaS, and because it has a large ecosystem of 3rd party integrations, our release process takes longer than others. That's necessary to allow us adequate time for various forms of peer-review and testing, to make sure that security fixes don't break millions of websites when they're installed automatically.

You are expected to comply with all applicable laws in connection with your participation in this program and you are responsible for the payment of any taxes associated with rewards received.

Hall of Fame

List your Bug Bounty for free immediately!

Contact us if you want more information.

FireBounty (c) 2015-2019