Submit a vulnerability report
Main principles of the program
WP Cerber bug bounty program applies to privately disclosed vulnerabilities only. We do not reward publicly disclosed vulnerabilities.
We do not reward vulnerabilities reported via a third party. Which means the only way to get a bounty is to report a vulnerability directly to us by using the form below.
We accept a vulnerability report with a proof we can reproduce. The report must include the description of all steps to reproduce the security issue. Feel free to use screenshots, video, text files.
Qualifying vulnerabilities
Any design or implementation flaw that substantially affects the security or integrity of an end-user website is likely to be in scope for the program. Common examples include:
- Cross-site scripting,
- Cross-site request forgery,
- Privilege escalation,
- Unauthorized access,
- Bypassing configured access restrictions,
- Bypassing IP Access Lists restrictions,
- Authentication or authorization flaws.
Limitations
To participate in our bug bounty program, please ensure that you report vulnerabilities found only in the latest version of WP Cerber downloaded from our website, which can be downloaded from the following page: https://wpcerber.com/installation/.
Please note that we only accept reports that are proven to be exploitable in an environment comprising unmodified WordPress and WP Cerber only. Reports requiring other WordPress plugins or themes for demonstration are not acceptable.
Please be aware that, depending on their impact, some reported issues may not qualify for a monetary reward. Common low-risk issues that typically do not qualify include: flaws affecting users of outdated software, bugs requiring exceedingly unlikely user interaction, complaints about spam protection not being 100% effective, issues caused by a broken (inconsistent) WP Cerber configuration, compatibility issues with other software, and issues with no practical significance to website security.
We do not discuss any extortion.
Reward amounts for security vulnerabilities
The exact reward amount depends on various factors, such as the nature and impact of the vulnerability, the risk it poses, and its exploitability. For a critical vulnerability that meets all the requirements listed on this page, you can receive up to $1000. However, the final amount is always at our discretion, and we may choose to pay a higher reward for an unusually clever vulnerability or a lower reward for a vulnerability that requires unusual user interaction. If you are not interested in the monetary reward or cannot receive it, we offer free license keys for the professional version of WP Cerber.
Submit your vulnerability report
If you agree with the requirements listed on this page, use this form to submit your report.