This article focuses on how to report WordPress vulnerabilities and what kind of different WordPress bug bounty programs there are.

Bug bounty platforms and programs are great for crowdsourcing security research for software.

Traditionally, software vendors use bug bounty platforms to attract security researchers to find vulnerabilities in their software, and in return, the vendor will pay out cash prizes for new valid reports.

WordPress is a massive ecosystem and new vulnerabilities are found almost every day.

To date, there are three main ways to earn cash prizes when reporting new security vulnerabilities found in WordPress core, plugins, and themes.

The Hackerone WordPress.org Program

Launched in July 2016, WordPress.org started accepting vulnerability reports through the Hackerone platform for vulnerabilities found WordPress core, Gutenberg, WP-CLI, BuddyPress, bbPress, GlotPress, and WordCamp.org.

Scope:

• WordPress Core software, API, and website.
• Gutenberg software and Classic Editor software.
• WP-CLI software and website.
• BuddyPress software and website.
• bbPress software and website.
• GlotPress software (but not the website).
• WordCamp.org website.

According to the policy page at Hackerone: “Any reproducible vulnerability that has a severe effect on the security or privacy of our users is likely to be in scope for the program. Common examples include XSS, CSRF, SSRF, RCE, SQLi, and privilege escalation.”

Full details can be seen here: https://hackerone.com/wordpress?type=team&view_policy=true

The Hackerone Automattic (WordPress.com) Program

Already since April 2014 – Automattic is paying bounties for vulnerability reports affecting WordPress.com, Jetpack, VaultPress, Akismet, Gravatar, WooCommerce, Tumblr, Simplenote, and any other projects listed on Automattic.com.

According to Automattic: “Any reproducible vulnerability that affects the security of our users is likely to be in scope for the program.” 

Common examples include:

• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF)
• Server-Side Request Forgery (SSRF)
• Remote Code Execution (RCE)
• SQL Injection (SQLi)

There are quite many rules when it comes to reporting the vulnerabilities, so for the full details and information please look here: https://hackerone.com/automattic?type=team&view_policy=true

Patchstack Red Team WordPress Bug Bounty (for any WordPress plugins)

Since 2021, Patchstack has started an initiative called Patchstack Red Team. The goal of the initiative is to build a community of security researchers behind the WordPress ecosystem.

Patchstack is a WordPress bug bounty platform where vulnerabilities of any WordPress plugins/themes can be reported and cash prizes are paid out each month for the top security researchers. There are guaranteed payouts every single month.

Scope:

• Any plugin listed in https://wordpress.org/plugins/
• Any theme listed in https://wordpress.org/themes/
• WordPress core
• WordPress plugins and themes listed in third-party repositories

PS! Patchstack is also paying out a $50 USD reward for all the newcomers who report a new and valid security vulnerability to the Patchstack WordPress bug bounty program for the first time.

You can read about it more here: https://patchstack.com/earn-50-and-get-invitation-to-the-patchstack-red-team/