Banner object (1)

Hack and Take the Cash !

752 bounties in database
WordPress logo



WordPress __is an open-source publishing platform. Our HackerOne program covers the Core software, as well as a variety of related projects and infrastructure.

Our most critical targets are:

Source code for most websites can be found in the Meta repository (git clone git:// The Meta Environment __will automatically provision a local copy of some sites for you.

For more targets, see the In Scope section below.

Please note that is a separate entity from the main WordPress open source project. Please report vulnerabilities for or the WordPress mobile apps through Automattic's HackerOne page.

Qualifying Vulnerabilities

Any reproducible vulnerability that has a severe effect on the security or privacy of our users is likely to be in scope for the program. Common examples include XSS, CSRF, SSRF, RCE, SQLi, and privilege escalation.

We generally aren’t interested in the following problems:


We're committed to working with security researchers to resolve the vulnerabilities they discover. You can help us by following these guidelines:

  • Follow HackerOne's disclosure guidelines __.
  • Pen-testing Production:
    • Please setup a local environment instead whenever possible. Most of our code is open source (see above).
    • If that's not possible, limit any data access/modification to the bare minimum necessary to reproduce a PoC.
    • Don 't automate form submissions! That's very annoying for us, because it adds extra work for the volunteers who manage those systems, and reduces the signal/noise ratio in our communication channels.
    • If you don't follow these guidelines we will not award a bounty for the report.
  • Be Patient - Give us a reasonable time to correct the issue before you disclose the vulnerability. We care deeply about security, but we're an open-source project and our team is mostly comprised of volunteers. WordPress powers over 30% of the Web, so changes must undergo multiple levels of peer-review and testing, to make sure that they don't break millions of websites when they're installed automatically.

We also expect you to comply with all applicable laws. You're responsible to pay any taxes associated with your bounties.

Hall of Fame

List your Bug Bounty for free immediately!

Contact us if you want more information.

FireBounty (c) 2015-2019