WordPress announces bug bounty program

WordPress Foundation is the latest organization to publicly announce a bug bounty program set up on the HackerOne platform.

WordPress bug bounty

What’s in scope of the WordPress bug bounty program?

Bounties will be offered to security researchers who flag bugs in:

  • WordPress (content management system)
  • BuddyPress (social networking plugin suite)
  • bbPress (forum software)
  • GlotPress (collaborative translation tool)
  • WP-CLI (command line interface for WordPress)
  • WordPress.org, bbPress.org, WordCamp.org, BuddyPress.org, GlotPress.org, and api.wordpress.org. In general, all *.WordPress.org are in scope.

The security team is interested in reports about the usual suspects: XSS, CSRF, SSRF, SQLi, RCE, and other flaws that affect the security of users.

They will not be awarding bounties for flaws in WordPress plugins, reports of hacked WordPress websites, output from automated scans, and a number of other problems.

The WordPress Foundation didn’t set specific amounts to paid out for specific bugs, but Aaron Campbell, WordPress Security Team Lead, has noted that they already awarded more than $3,700 in bounties to seven different reporters.

The bounties are paid by Automattic, the company that runs the WordPress.com blog web hosting service, which is powered by the WordPress software. Matt Mullenweg, the founder and CEO od Automattic, is one of the original developers of the WordPress CMS.

From private to public

“WordPress is an interesting target – it’s well known, open source, and quite pervasive – and it seems hackers are attracted to that,” Campbell noted. (WordPress is used by 28% of the top 10 million websites.)

The scheme was initially run as a private program. But even with that preparation, the public launch was hectic.

“The increase in volume of reports was drastic as expected, but also our team really hadn’t had to process any invalid reports before moving the program public. The dynamics of the Hacker Reputation system really came into play for the first time, and it was really interesting to figure out how to best work within it,” he explained.

He also noted that the main goal of the program is to keep all WordPress users secure, and this means that popular WordPress plugins or themes might be included in the program in the future.