logo

Bug Bounties


Unfortunately, as the Wikimedia Foundation is a non-profit and charitable organization, it does not pay out bug bounties for disclosing security issues in our projects.

This list is not exhaustive, but should be used as a guide for both in-scope and out-of-scope vulnerabilities, and under which domains they are applicable.

For more information on how to report a security issue in MediaWiki or Wikimedia sites, please see the Reporting Security Bugs page on MediaWiki.org or at HackerOne.

In-scope domains

  • mediawiki.org
  • w.wiki
  • wikibooks.org
  • wikidata.org
  • wikimedia.com
  • wikimedia.org
  • wikimediafoundation.org
  • wikinews.org
  • wikipedia.org
  • wikinews.org
  • wikisource.org
  • wikiversity.org
  • wikivoyage.org
  • wiktionary.org

Examples of in-scope vulnerabilities

  • Remote Code Execution (RCE)
  • SQL injection (SQLi)
  • Authorization bypass/escalation
  • Sensitive information leaks
  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)

Examples of out-of-scope vulnerabilities

  • SPF configuration, or lack thereof
  • DKIM configuration, or lack thereof
  • DMARC configuration, or lack thereof
  • Clickjacking, also known as a "UI redress attack"
  • That "anyone can edit" our projects
  • Source code disclosures (unless it's a password/auth key); our code is open source
  • Assumed vulnerabilities based upon version numbers only