Softpedia >News >Security
Softpedia Homepage   

WordPress Launches Bug Bounty Program via HackerOne

WordPress is looking for vulnerabilities across all its platforms and sites, hoping white hats can help

May 16, 2017 19:41 GMT  ·  By
WordPress is inviting white hats to dig for vulnerabilities
   WordPress is inviting white hats to dig for vulnerabilities

WordPress has joined the HackerOne platform, asking white hats to start digging through its code searching for vulnerabilities. 

Over the years, WordPress has grown into the most used blogging platform in the world. It powers over 28% of the top ten million sites in the world, which means it's that much more important for the company to keep its bugs in check.

HackerOne, as you might know, is a platform where security researchers can securely and responsibly report vulnerabilities they discover. Researchers can then be paid for their trouble with various amounts of money, depending on what the companies are offering for those specific types of vulnerabilities. As WordPress puts it, this will free up its team to spend more time working on improving the security of WordPress.

The company had actually been running the bug bounty program for just over a year, but it has done this privately. Thus far, it has awarded more than $3,700 in bounties to seven different reporters.

A great move

"With the announcement of the WordPress HackerOne program, we are also introducing bug bounties. Bug bounties let us reward reporters for disclosing issues to us and helping us secure our products and infrastructure. We’ve already awarded more than $3,700 in bounties to seven different reporters! We are thankful to Automattic for paying the bounties on behalf of the WordPress project," the company's Aaron Campbell wrote.

The program and bounties cover all projects, including WordPress, BuddyPress, bbPress, GlotPress, and WP-CLI, as well as all its sites.

According to the announcement, any reproducible vulnerability that affects the security of its users is likely to be in the scope of the program, including SQL injections, Remote Code Executions, and Cross Site Scripting.

WordPress has had quite a few security issues over the past few years, including some that were qualified as critical.

Numerous companies have bug bounty programs of their own, while others are signed up with HackerOne. Even the US Army has had several such programs.