Today we present an interview with John Blackbourn. John is a web developer of 20 years, a leader of projects and teams, and a public speaker. He recently moved into the role of Director of WordPress Security at Human Made.
He has two cats and they are so fluffy like you would not believe. When he’s not looking at a screen he likes to try his hands at woodwork projects and baking.
John also won the August edition of our Bug Bounty and he did it in amazing style. With just one report, worth over 500 AXP and $16400. This is the biggest bounty in the history of Patchstack.
Why did you end up in security? Was this your plan all along or was it an accident?
I’ve always been curious about how things work, whether it’s software, machinery, or processes. That curiosity got my software engineering career started. If you’re curious about how something works then I think a natural progression is to be curious about how it can break, or be made better, or how to get it to do things that aren’t intended. In the context of information security that curiosity can take you down many different paths. For me, it took me down the path of wanting to write high-quality software that treated security as an important aspect.
I’ve worked with clients such as governments and banks that mandate standards for performance, accessibility, maintainability, and security. I enjoy the challenge of meeting standards and I think it suits my strong attention to detail.
What tips would you give a person interested in security?
Perseverance is a really important quality. It applies to everything in the field of security, whether it’s vulnerability research, red teaming, blue teaming, risk management, compliance, general hacking, or your own continual learning and development.
If there’s a particular discipline that interests you, make use of the publicly available reports and research papers that get published. Disclosure reports and root cause analysis can teach you a lot and will provide you with inspiration. You should research related disciplines such as physical access control, supply chain security, and network engineering because there’s lots of crossover between disciplines, and of course, any given system is only as secure as its weakest link.
Take an interest in new trends and technologies, but try not to get overwhelmed. For example, AI chat prompt injection is quickly becoming an entire security discipline of its own, but the tools, approaches, and skills needed to deal with it are completely different from classic software security. Perhaps that’s not for you, or perhaps that sounds like a great new career focus.
You are a member of the WordPress security team. Can you explain how this team works and what are your responsibilities?
The main responsibilities of this team of volunteers are to:
- Triage vulnerability reports (disclosed via the official HackerOne program). This covers the core software plus other official WordPress projects and parts of the wordpress.org infrastructure.
- Coordinate security fixes, hardening, and releases as necessary.
- Review proposed new features for WordPress core to ensure security standards are maintained.
What many people don’t know is that the security team has a working relationship with representatives from many of the largest web hosts and service providers in the world. This facilitates direct security-related collaboration and coordination with hosts that manage tens of millions of WordPress installations to keep them as secure as can be.
You aren’t a person who finds vulnerabilities every day and yet you manage to find this critical zero-day vulnerability in LiteSpeed Cache – how did it happen?
You’re right that I don’t often compete in bug bounties but I do perform security research frequently and I’ve been involved with the WordPress core security team for many years. I’ve discovered several security issues in the WordPress core software over the years because that’s the area I primarily focus on.
My broad knowledge of web application security definitely helped me to identify the multiple weaknesses that needed to be pieced together to facilitate the vulnerability in the LiteSpeed Cache plugin. By far the most interesting aspect for me was identifying a genuinely exploitable vulnerability caused by insufficient random number generation, something that I’ve only had theoretical experience with prior.
Identifying and reporting the vulnerability did remind me that vulnerability researchers need great persistence and patience as well as technical expertise. I admire anyone who does this research on more than an occasional basis!
If you had unlimited power and could change one thing in WordPress’ security – what would it be and why?
Wouldn’t it be great if plugins and themes in the WordPress.org directories were subject to automated security scans prior to each new version being published, just like a CI/CD system that prevents a deployment when its checks fail?
The technical effort needed to implement such a check might not be that great, but the outreach, awareness education, and general feedback management for the directories that host tens of thousands of plugins and themes would be. It could have a great impact on the security of the wider WordPress ecosystem if done correctly. Perhaps one day in the future.
How do you feel about getting the biggest bounty in Patchstack’s Bug Bounty History?
Of course, I’m very pleased to receive the bounty payment for this research (especially as I recently took an unpaid sabbatical!), but honestly, when an unauthenticated privilege escalation vulnerability like this affects 5M+ sites and ultimately allows for RCE on the majority of them, my main concern is to get it fixed and rolled out as widely as possible, as quickly as possible, and as professionally as possible.
You can connect with John on:
