20180 policies in database
Link to program      
Ian Dunn logo


Ian Dunn


Bounties are only paid for source code vulnerabilities in the assets listed in the In Scope section below. Low severity reports will often be closed as Informative, since they're not worth the time.

Top Targets

There are more targets listed in the In Scope section below.


| Severity | Award |

| -------- | ------------- |

| High | $100 - $400 |

| Medium | $50 |

| Low | $0 - $25 |

Severity is based on CVSS 3, but may be adjusted up or down at my discretion. For example, a vulnerability in a plugin with 10,000 active installations may be higher than a vulnerability in a plugin with 100 active installations.

To qualify, reports must include a PoC and have complete steps to reproduce. There must be practical and demonstrable security implications, not just a theoretical scenario, or a missing best practice.

Scope Exclusions / Common Invalid Reports

  • My personal website is not in scope. It's not important, and the constant pentesting is annoying.

  • Rare or low-severity edge cases: Like regular bugs, not all security bugs are worth fixing. Some edge cases may be closed as Informative. For example, CEMI attacks using standard trigger characters (like #151516) are welcome, but characters that only work in Excel, or only in old versions of software, etc are not accepted (see #124223).

  • Common false reports listed on WordPress' Reporting Security Vulnerabilities page.

  • Brute force, DoS (including XML-RPC and load-scripts.php), phishing, text injection, or social engineering attacks.

  • Mixed content warnings for passive assets like images and videos

  • Lack of HTTP/MX security headers (CSP, X-XSS, SPF, DMARC, DKIM, etc.)

  • Output from automated scans - please manually verify issues and include a valid proof of concept.

  • Clickjacking with minimal security implications

  • Theoretical vulnerabilities where you can't demonstrate a significant security impact with a PoC.

Invalid reports will be disclosed in order to help other researchers and programs learn from them.

In Scope

Scope Type Scope Name

GitHub repositories


WordPress.org plugins

Out of Scope

Scope Type Scope Name


This program feature scope type like web_application, undefined.

FireBounty © 2015-2021

Legal notices