March Bug Bounty Results

You really surprised us with 634 valid reports in March 🤯 This is another monthly record. The previous record for March was 243 set in 2024. You almost trippled it.

Also, in March you submitted 40 reports for plugins with active mVDP program.

Results

You can find the results here but I think the first three deserve to be shown here too:

• Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) 🥇
• stealthcopter 🥈
• LVT-tholv2k 🥉

And the 🍀 lucky winner goes to Abdi Pranata.

A lot of level changes happened:

Level 5️⃣

• Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity)
• Bonds
• LVT-tholv2k
• Trương Hữu Phúc (truonghuuphuc)

Level 4️⃣

• stealthcopter
• João Pedro S Alcântara (Kinorth)  

Level 3️⃣

• astra.r3verii
• muhammad yudha
• johska
• Nguyen Xuan Chien
• Anhchangmutrang

Level 2️⃣

• Aiden (Thái An)
• theviper17
• Phat RiO - BlueRock

Level 1️⃣

• Le Ngoc Anh
• Phan Trong Quan - VNPT Cyber Immunity

Bounties

This all leads to top bounties this month 💰

• 🥇 Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) - $3800
• 🥈 stealthcopter - $2100
• 🥉 LVT-tholv2k - $1800

In total, we paid out $17200💰 this month.

Special bounties

• Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) - 7x double score
• stealthcopter - 1x double score; special - > 4 millions per 2x reports
• LVT-tholv2k - 5x double score
• Bonds - special - > 15 millions per 2x reports
• João Pedro S Alcântara (Kinorth) - Highest install count with 7.1+ CVSS; 1x double score
• Anhchangmutrang - Highest CVSS, 1x double score
• Le Ngoc Anh - 1x double score
• Nabil Irawan - 1x double score
• timomangcut - 1x double score

Don’t forget about the special Easter Bug Bounty

Easter Bug Bounty runs throughout April - The Easter Bunny doesn’t want to just find as many vulns as possible, he wants to find as many vulnerability TYPES as possible.

You can learn more about the event here.

Did you spot a mistake?

If you have any questions, or you found a mistake, please use ⁠the support channel on Discord and create a ticket as soon as possible, in 24h the results will be locked 🙂

Soon you’ll receive an email with all the instructions 📧

Stats 📊

     545 | Plugin
      90 | Theme
       1 | WordPress

By type:

     225 | Cross Site Scripting (XSS)
     134 | Cross Site Request Forgery (CSRF)
      59 | SQL Injection
      55 | Broken Access Control
      51 | Local File Inclusion
      29 | PHP Object Injection
      20 | Arbitrary File Upload
      11 | Arbitrary File Download
      11 | Privilege Escalation
       9 | Sensitive Data Exposure
       7 | Open Redirection
       6 | Deserialization of untrusted data
       5 | Server Side Request Forgery (SSRF)
       3 | Broken Authentication
       2 | Arbitrary Code Execution
       2 | Arbitrary Content Deletion
       2 | Remote Code Execution (RCE)
       1 | Arbitrary File Deletion
       1 | Directory Traversal
       1 | Insecure Direct Object References (IDOR)
       1 | Other Vulnerability Type
       1 | Settings Change

By CVSS Score:

     154 | 7.1
     100 | 6.5
      65 | 4.3
      46 | 7.5
      44 | 5.9
      31 | 9.8
      28 | 8.5
      26 | 8.1
      23 | 5.3
      21 | 8.8
      20 | 7.6
      17 | 5.4
      14 | 9.9
      13 | 9.3
       7 | 10.0
       7 | 4.7
       3 | 4.9
       3 | 7.2
       3 | 8.2
       3 | 9.6
       2 | 5.0
       2 | 6.6
       1 | 4.4
       1 | 5.5
       1 | 5.8
       1 | 6.8

By prerequisite:

     359 | Unauthenticated
     145 | Contributor
      66 | Administrator
      60 | Subscriber
       2 | Editor
       1 | Author
       1 | Outlet Manager
       1 | Shop manager
       1 | Student