You all probably remember that last year Santa Claus visited us, because he needed some help with vulnerabilities. It turns out that he recommended us to his friend, th Easter Bunny đ°.
The Easter Bunny doesnât want to just find as many vulns as possible, he wants to find as many vulnerability TYPES as possible.
The event will take place in parallel with the regular monthly event so youâll compete in two events for two bounty pools.
Rules
- Only vulnerabilities with these prerequisites are accepted for the special event: unauthenticated, subscriber, customer.
- Researchers are competing who will find more different types of vulnerabilities (one point per vulnerability type).
- Minimum entry level to compete is 5 points (at least five types of vulnerabilities) (updated on 31.03 at 17:30 UTC).
- If there are two or more researchers with same count of points, we will check the AXP count of those reports (if there are multiple same type vulnerabilities reported, we will count the highest one of that kind).
- Only vulnerabilities for components with 1000+ active installs or sells are accepted to the special event count.
- Time - April 1, 2025 - April 30, 2025 (UTC)
- Vulnerability should exist in the latest reported plugin or theme version.
- Reports that involve non-default configurations or altered states of the server, WordPress, or the reported plugin/theme will not be considered valid for the special event.
- If reports collide (same vulnerability reported by multiple researchers for the same component) point will be assigned to the researcher who have reported it first.
Bounty
There are $3500 in the separate bounty basket:
| Position | Bounty |
|---|---|
| 1 | $1,000.00 |
| 2 | $800.00 |
| 3 | $600.00 |
| 4 | $400.00 |
| 5 | $200.00 |
| 6 | $200.00 |
| 7 | $100.00 |
| 8 | $100.00 |
| 9 | $50.00 |
| 10 | $50.00 |
Youâll get points for every vulnerability type you discover.
But how can I learn about all those vulnerability types
We got you covered. Visit our Academy website to learn how to discover them.
How should I start?
If you have a researcher account (which means you reported to our Bug Bounty program before), just report using the Researcher Portal.
If you are here for the first time, I recommend that you first visit:
And when youâre ready - submit you first report using this form.
If you have any questions, reach us on our Discord.
Happy hunting đ°
