WordPress has finally launched public bug bounty program
The WordPress security team announced this week the launch of a public bug bounty program that covers the WordPress content management system (CMS) and several related assets.
It has been running a private bug bounty program for roughly seven months and it has now decided to make it public.
WordPress (CMS) has grown a lot over the last thirteen years – it now powers more than 28% of the top ten million sites on the web. WordPress has been operating a private bug bounty program for several months.
[irp]
The program is hosted on the HackerOne platform and it covers this CMS and other open-source projects, including BuddyPress, bbPress and GlotPress. Researchers can also report flaws discovered in the WordPress.org (including subdomains), WordCamp.org, BuddyPress.org, WordPress.tv, bbPress.org and Jobs.WordPress.net websites.
White hat hackers have been advised to submit vulnerability reports that include detailed information on the flaw and proof-of-concept (PoC) code. Participants have also been asked to avoid privacy violations and causing damage to live on it’s sites, and give developers a reasonable amount of time to address security holes before their details are made public.
This Security Team published that is now officially on HackerOne. HackerOne is a vulnerability coordination and bug bounty platform that connects businesses with cybersecurity researchers.
The program covers all the projects including WordPress, BuddyPress, bbPress, GlotPress, and WP-CLI as well as all of the websites including WordPress.org, bbPress.org, WordCamp.org, BuddyPress.org, and GlotPress.org.
The program is interested in reports about security issues like XSS, CSRF, SSRF, SQLi, RCE, and other flaws that affect the security of users.
The bug bounty program generally isn’t interested in the following problems:
– Plugins Security issues.
– Reports about hacked websites.
– Users with privileges can post arbitrary JavaScript.
– Disclosure of user IDs.
[irp]
– Open API endpoints serving public data.
– Path disclosures for errors, warnings, or notices.
– disclosure of version number.
– Mixed content warnings for passive assets like images and videos.
– Missing HTTP security headers (CSP, X-XSS, etc.)
– Brute force, DDoS, phishing, text injection, or social engineering attacks.
– Any vulnerability with a CVSS 3 score lower than 4.0, unless it can be combined with other security vulnerability to gain a higher score.
– Reports from automatic scanners.
We hope that after the program has been officially public, it will help security researchers to report security issues quickly.