Bounty is paid after the issue is validated by a safefive team member and patch or security plugin update has been released. Please see the structured bounty table for maximum payout ranges. This bounty table provides general guidelines. All final decisions are at the discretion of safefive.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Researchers who are the first to report a vulnerability will be the researcher acknowledged in the release notes once the vulnerability is resolved. If there are additional team members involved in researching the vulnerability, please provide their name(s) and what their contribution was to the findings when submitting this report.
Minors are welcome to participate in the program by submitting issues for review. However our ability to collect personal information from children under 16. They must have their parent or legal guardian submit their information in order to claim a bounty.