Security Bug Bounty Program for WordPress Plugins


Eligible Vulnerability Types

  • Unauthenticated remote execution of arbitrary PHP code: US$250
  • Unauthenticated remote malicious file inclusion: US$250
  • Unauthenticated PHP object injection: US$125
  • Unauthenticated SQL injection that can modify the database: US$125
  • Unauthenticated persistent cross-site scripting (XSS): US$125
  • Privilege escalation from unauthenticated to an Administrator role: US$125
  • Unauthenticated arbitrary file viewing that exposes wp-config.php file contents: US$125
  • Unauthenticated information disclosure that exposes website backup files: US$125
  • Unauthenticated information disclosure that exposes customer information: US$125


To receive the bounty you need report the vulnerability to us first, we will then notify the developer of the plugin of the issue. If there has not been a response from them within a 7 days we will then publicly disclose the vulnerability. For developer that respond we will disclose the vulnerability after the vulnerability is fixed or after 30 days, which eve comes first.

The bounty will be paid as soon as we have confirmed that the vulnerability exists.

The bounty will be paid via PayPal. The bounty can also be donated to a charity of your choice.