November 13, 2023

Wordfence recently launched a new bug bounty program.

Wordfence launches bug bounty program to encourage vulnerability research in WordPress, rewarding each valid report with various levels of compensation.


Wordfence, a well-known company in the field of cybersecurity, recently launched a new bug bounty program. This initiative aims to offer financial incentives to security researchers who report high-risk vulnerabilities to the company.

Once researchers disclose vulnerabilities to Wordfence, the company manages them and confidentially communicates them to vendors for remediation. When the fix is ​​released, the vulnerability is included in the Wordfence public database, freely accessible, following a responsible disclosure policy.

Chloe Chamberland, security analyst at Wordfence, said: “There is no limit to the rewards an individual researcher can earn, and each relevant vulnerability received through our submission process warrants a reward."

Chloe Chamberland

Wordfence will reward researchers who discover vulnerabilities in plugins and themes with over 50.000 active installs. Some payment examples include:

  • $1.600 for Arbitrary Unauthenticated File Upload, Remote Code Execution, Escalation of Admin Privileges, or Arbitrarily Updating Options in a plugin or theme with over one million active installs.
  • $1.060 for Unauthenticated Arbitrary File Deletion in a plugin or theme with over one million active installs, assuming wp-config.php can be easily deleted.
  • $800 for an unauthenticated SQL injection into a plugin or theme with over a million active installations.
  • $320 for an Unauthenticated Cross-Site Scripting vulnerability in a plugin or theme with over one million active installs.
  • $80 for a Cross-Site Request Forgery vulnerability in a plugin or theme with over one million active installs and significant impact.

Our Bug Bounty Program rewards are designed to have the greatest positive impact on the security of the WordPress ecosystem. Rewards are not earned by mass searching for low-impact vulnerabilities to earn a spot on a leaderboard, but are based on the number of active installations, criticality of the vulnerability, ease of exploitation, and prevalence of the vulnerability type.

Chamberland said.

WordFence Intelligence

The launch of Wordfence's bug bounty program clearly aims to position itself competitively, indirectly challenging Patchstack, which operates its program on a leaderboard system where only the best researchers get paid. There are some notable differences, where some awards are given at discretion, but most individual awards are for the highest score in various categories:

Patchstack guarantees a monthly prize pool of at least $2425 (the lowest possible prize pool). The Patchstack Alliance member who collects the most points for a particular month from their submitted reports will receive a reward of $650, second place will receive $350 and third place will receive $250.

There are extra rewards (single rewards) for reporting the vulnerability with the highest base score according to CVSS ver. 3.1; the highest active install count; and to report a group of components affected by the same vulnerability.

Patchstack may reward individual members of the Patchstack Alliance at its discretion based on the overall impact of the vulnerabilities they discover.

Wordfence takes a different approach to paying for each vulnerability reported within the scope identified by the program.

Researchers in the WordPress ecosystem should familiarize themselves with the various bug bounty programs and determine the best avenue for their reports. Some plugins and companies, such as Elementor, Brainstorm Force, Automattic, Castos, and WP Engine, have their own bug bounty programs, with a range of different payouts.

We pay more per vulnerability and we pay for every valid vulnerability submitted, we believe this is the only right way to proceed, as gamification of a vulnerability program is like having employees all working, but only those at the top get paid . If you submit a valid vulnerability, you should be paid for your work.

said Mark Maunder, CEO of Wordfence.

Mark Maunder - CEO WordFence

Maunder argues that the wrong incentives are lowering the quality of research submitted.

There are an extremely high number of low-risk, low-quality vulnerabilities being submitted to databases like Patchstack, Vulnerabilities involving Cross-Site Request Forgery are an example. The incentives we're seeing out there encourage researchers to generate a high volume of low-risk vulnerabilities to get rewarded. These high numbers are then used to market security products.

Maunder said Wordfence structured its program to shift incentives toward finding high-risk vulnerabilities, rather than boosting marketing metrics for a particular vulnerability database.

A high volume of low-risk vulnerabilities in any particular database hurts the industry because it creates work for other organizations that need to integrate this data, but for the most part it is just useless noise that we are forced to sift through, rather than posing a risk real for the user community

Maunder said.

As a new entry into the group of WordPress companies offering bug bounties, Wordfence enters the market with the intention of attracting more reports through additional bonuses (10% for the first 6 months) and a bonus structure that rewards chaining multiple vulnerabilities together , thorough documentation and other extra efforts.

Not every author of a popular plugin or theme can afford to offer their own bug bounty program, and this is where security companies step in to fill the gaps. More competition between companies for high-quality research can only be a good thing for WordPress users, as it provides more incentives for ecosystem security and will potentially attract more qualified researchers. Bug bounty programs will likely evolve over time as companies refine them to provide the best value for original research.

Do you have doubts? Don't know where to start? Contact us!

We have all the answers to your questions to help you make the right choice.

Chat with us

Chat directly with our presales support.


Contact us by phone during office hours 9:30 - 19:30

Contact us online

Open a request directly in the contact area.


Managed Server Srl is a leading Italian player in providing advanced GNU/Linux system solutions oriented towards high performance. With a low-cost and predictable subscription model, we ensure that our customers have access to advanced technologies in hosting, dedicated servers and cloud services. In addition to this, we offer systems consultancy on Linux systems and specialized maintenance in DBMS, IT Security, Cloud and much more. We stand out for our expertise in hosting leading Open Source CMS such as WordPress, WooCommerce, Drupal, Prestashop, Joomla, OpenCart and Magento, supported by a high-level support and consultancy service suitable for Public Administration, SMEs and any size.

Red Hat, Inc. owns the rights to Red Hat®, RHEL®, RedHat Linux®, and CentOS®; AlmaLinux™ is a trademark of AlmaLinux OS Foundation; Rocky Linux® is a registered trademark of the Rocky Linux Foundation; SUSE® is a registered trademark of SUSE LLC; Canonical Ltd. owns the rights to Ubuntu®; Software in the Public Interest, Inc. holds the rights to Debian®; Linus Torvalds holds the rights to Linux®; FreeBSD® is a registered trademark of The FreeBSD Foundation; NetBSD® is a registered trademark of The NetBSD Foundation; OpenBSD® is a registered trademark of Theo de Raadt. Oracle Corporation owns the rights to Oracle®, MySQL®, and MyRocks®; Percona® is a registered trademark of Percona LLC; MariaDB® is a registered trademark of MariaDB Corporation Ab; REDIS® is a registered trademark of Redis Labs Ltd. F5 Networks, Inc. owns the rights to NGINX® and NGINX Plus®; Varnish® is a registered trademark of Varnish Software AB. Adobe Inc. holds the rights to Magento®; PrestaShop® is a registered trademark of PrestaShop SA; OpenCart® is a registered trademark of OpenCart Limited. Automattic Inc. owns the rights to WordPress®, WooCommerce®, and JetPack®; Open Source Matters, Inc. owns the rights to Joomla®; Dries Buytaert holds the rights to Drupal®. Amazon Web Services, Inc. holds the rights to AWS®; Google LLC holds the rights to Google Cloud™ and Chrome™; Microsoft Corporation holds the rights to Microsoft®, Azure®, and Internet Explorer®; Mozilla Foundation owns the rights to Firefox®. Apache® is a registered trademark of The Apache Software Foundation; PHP® is a registered trademark of the PHP Group. CloudFlare® is a registered trademark of Cloudflare, Inc.; NETSCOUT® is a registered trademark of NETSCOUT Systems Inc.; ElasticSearch®, LogStash®, and Kibana® are registered trademarks of Elastic NV Hetzner Online GmbH owns the rights to Hetzner®; OVHcloud is a registered trademark of OVH Groupe SAS; cPanel®, LLC owns the rights to cPanel®; Plesk® is a registered trademark of Plesk International GmbH; Facebook, Inc. owns the rights to Facebook®. This site is not affiliated, sponsored or otherwise associated with any of the entities mentioned above and does not represent any of these entities in any way. All rights to the brands and product names mentioned are the property of their respective copyright holders. Any other trademarks mentioned belong to their registrants. MANAGED SERVER® is a trademark registered at European level by MANAGED SERVER SRL, Via Enzo Ferrari, 9, 62012 Civitanova Marche (MC), Italy.


Would you like to see how your WooCommerce runs on our systems without having to migrate anything? 

Enter the address of your WooCommerce site and you will get a navigable demonstration, without having to do absolutely anything and completely free.

No thanks, my customers prefer the slow site.
Back to top