Elementor: Bug Bounty Program

  • Points – $4,000 per vulnerability
  • Up to $5,000 maximum reward

Program stats

  • Vulnerabilities rewarded 87
  • Validation within 20 days 75% of submissions are accepted or rejected within 20 days
  • Average payout $422.72 within the last 3 months

Latest hall of famers

Recently joined this program


Please note: This program or engagement does not allow disclosure. You may not release information about vulnerabilities found in this program or engagement to the public.

Elementor is the leading website builder platform for professionals on WordPress. Elementor serves web professionals including developers, designers and marketers and boasts a new website created every 10 seconds on its platform.

Elementor is an open-source, GPLv3 licensed offering its platform both as free and premium. Since launching in 2016, Elementor’s reach now extends to more than 180 countries, has more than 5,000,000 active installs, and is loved by many, as seen in over 4.5K five-star reviews it received in the WordPress repository.

General Guidelines

  • Vulnerability reports which will not include manual validation - for example, reports based only on results from automated tools and scanners or which describe theoretical attack vectors without proof of exploitability - will be automatically closed.
  • Indicate steps to reproduce and verify you demonstrate a working proof of concept. Submissions without sufficient details - will be automatically closed.
  • Please collect only the information necessary to demonstrate the vulnerability.
  • Please only target your own accounts. DO NOT attempt to access the data of other accounts.
  • Our program will use Bugcrowd’s Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its actual likelihood or impact. In any instance where an issue is downgraded, a detailed explanation will be provided to the researcher.
  • Verify your target, do not attack any 3rd party supporting our services.
  • We base all payouts on impact and will reward accordingly. Please emphasize the actual impact as part of your submission description.
  • Rate Limiting - WAF technology is being utilized and will block high rate traffic deemed to be malicious. Stick with manual and pinpointed attack processes, don’t use mass scanning tools and avoid brute force attempts. If this occurs, discontinue your activity for a period of 24 hours.
  • Out of Scope submissions that will indicate sufficient reasoning (why you believe it should be considered) and demonstrable impact may be considered as “In Scope” submissions (case-by-case basis).

Reward Guidelines

We base all payouts on impact and will reward accordingly. Please emphasize the impact as part of your submission.

We are particularly interested and will consider extraordinary submissions for issues that result in full compromise of a system

Priority Reward Range
P1 (extraordinary submissions) Up to $5,000
P1 $2,000 - $4,000
P2 $500 - $2,000
P3 $0 - $500
P4 Points Only

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email support@bugcrowd.com. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.