Bug Bounty
Platforms
You’ve found a bug and exploited it, but now what? Well you need to write it up (yay!) and then submit it to a bug bounty program.
Deciding where to report a vulnerability depends firstly on scope, as there’s no point reporting it somewhere it will not be valid. Then secondly on best payout, this can be difficult to figure out due to Patchstack’s gamification, if they are having a slow month you may do better submitting it there than to other programs, but in extremely competitive months you are unlikely to take a high bounty.
💬 If you need some help navigating this, please feel free to drop me a message, and I’ll be happy to help you maximise your bounty!
Patchstack
Link | Patchstack |
---|---|
Scope | >1k Installs on all plugins & themes. |
Payouts | This is where it gets complicated, Patchstack give points for each but but don’t have a payout per bug. So players get a bounty for where they place each month in the leaderboard (see table below) |
Payout Frequency | Once a month, 1-2 weeks after it has ended. |
They also have leveling up bonuses and zero day bonuses for unauthenticated or subscriber level vulnerabilities that can lead to entire site take over.
Wordfence
Link | Wordfence |
---|---|
Scope | For install count it depends on researcher experience: - “1337 researchers”: >1k Installs on all plugins & themes.“Resourceful researchers”: >15k or 1k criticalsOthers: >50k or >1k for criticals |
Payouts | Ranges from ~$3 to ~$32,760. With a helpful bug calculator to figure out the likely payout. |
Payout Frequency | Twice a month. |
WPScan
Link | WPScan |
---|---|
Scope | >50k installs on wordpress.org plugins & themes with impact of stored-XSS or higher. |
Payouts | $? - From their docs, it looks like I’m not allowed to say what their bounties are, but they are currently the most the lucrative. |
Payout Frequency | Once per week. |
Others
And… there are also some additional bug bounty programs companies run for specific plugins they own such as:
Typically, when a company has their own bug bounty program they will be out of scope for the other more general programs.
Reporting Tips
💡Tip: Don’t be afraid to politely discuss with the triagers if they have misunderstood your vulnerability or awarded you the wrong amount. With one of my first findings I managed to talk it up from $0 to $165 bounty because under GDPR an administrator would be compelled to perform the exploit for you, read more here.