1. Home
  2. Help
  3. Bug bounty program

Bug bounty program, reward for bugs reporting

We offer compensation for reporting bugs that you have found at cleantalk.org or our plugins. Please review the list of bugs not included in the scope of vulnerabilities.

Exclusions:

  • php.info
  • User enumeration via wp/json/users
  • Brute force attacks via XML-RPC
  • SSRF via XML-RPC
  • DOS via XML-RPC

These vulnerabilities will not be accepted. However, if an attack vector can be exploited and leads to a serious vulnerability, such a bug may be considered.

Files:
All discovered files must contain critical information such as passwords, logins, wp-settings.php data, and other sensitive information. If the file does not contain this type of information, the report will be rejected.

Missing Headers:
Vulnerabilities related to missing headers (e.g., CORS) will be considered as informational bugs unless they lead to significant security risks.

Clickjacking:
Clickjacking vulnerabilities will not be accepted. Possible exceptions will be considered only if the vulnerability leads to serious consequences.

Non-Accepted Vulnerabilities:

  • Sensitive data stored in plain text
  • Open Redirect
  • CSRF with minimal impact
  • Session issues
  • API key disclosure without exploitation
  • HTML Injection
  • Text Injection
  • Rate Limiting
  • Denial of Service (DoS) Attacks
  • Content Spoofing
  • Self-XSS or XSS that only affects old browsers
  • Clickjacking
  • User/Email enumeration
  • Header Injection
  • Reflected file download
  • Misconfigured Headers
  • php.info
  • User enumeration via wp/json/users
  • Brute force attacks via XML-RPC
  • SSRF via XML-RPC
  • DOS via XML-RPC
  • Missing security cookie attributes (secure, httponly, and samesite)
  • Missing best practices in SSL/TLS configuration
  • Sender Policy Framework (SPF) or DomainKeys Identified Mail (DKIM) related findings
  • CSP Weaknesses
  • Software version disclosure

Rewards:

  • Publicly accessible internal data – $25
  • Directory Listing Enabled (depending on the disclosed data) – $10
  • Account Takeover – $35
  • Insecure Direct Object Reference (IDOR) leading to sensitive data exposure – $15–50
  • Stored XSS (Access through non-GET request) – $20
  • Stored XSS – $50
  • XML External Entity (XXE) injection – $50
  • LFI/RFI (File Inclusion) – $75
  • Possible Blind SQL Injection – $75
  • Possible SQL Injection – $150
  • Remote Code Execution (RCE) – $200–500
  • Possible Mass Data Leak of Users – $250

Report Submission:
Please send your report to bugbounty@cleantalk.org. Each bug should be reported separately with a Proof of Concept (PoC) video.

Reports will be reviewed within 4-12 business days. If your report is approved, you will be contacted. If you do not receive a response, it means your report has not been accepted.

Out of Scope Domains:

  • demo*.cleantalk.org

Was this information helpful?

Copied to clipboard