Bounties are usually only paid for source code vulnerabilities in the
assets listed in the
In Scope section below. Low severity reports will
often be closed as
Informative, since they're not worth the time.
There are more targets listed in the
In Scope section below.
Severity | Award
High | $100 - $400
Medium | $50
Low | $0 - $25
Severity is based on CVSS 3 __, but may be adjusted up or down at my discretion. For example, a vulnerability in a plugin with 10,000 active installations may be higher than a vulnerability in a plugin with 100 active installations.
To qualify, reports must include a PoC and have complete steps to reproduce. There must be practical and demonstrable security implications , not just a theoretical scenario, or a missing best practice.
Informative. For example, CEMI attacks using standard trigger characters (like #151516) are welcome, but characters that only work in Excel, or only in old versions of software, etc are not accepted (see #124223).
wp-adminare valid, though.
display_errorsdisabled on production boxes.
Invalid reports will be disclosed in order to help other researchers and programs learn from them.
Contact us if you want more information.