Complete WordPress Bug Bounty Guide

Published 14 June 2021
Updated 18 July 2023
Oliver Sild
CEO at Patchstack
Table of Contents

This article focuses on how to report WordPress vulnerabilities and what kind of different WordPress bug bounty programs there are.

Bug bounty platforms and programs are great for crowdsourcing security research for software.

Traditionally, software vendors use bug bounty platforms to attract security researchers to find vulnerabilities in their software, and in return, the vendor will pay out cash prizes for new valid reports.

WordPress is a massive ecosystem and new vulnerabilities are found almost every day.

To date, there are three main ways to earn cash prizes when reporting new security vulnerabilities found in WordPress core, plugins, and themes.

The Hackerone WordPress.org Program


Launched in July 2016, WordPress.org started accepting vulnerability reports through the Hackerone platform for vulnerabilities found WordPress core, Gutenberg, WP-CLI, BuddyPress, bbPress, GlotPress, and WordCamp.org.

Scope:


According to the policy page at Hackerone: “Any reproducible vulnerability that has a severe effect on the security or privacy of our users is likely to be in scope for the program. Common examples include XSS, CSRF, SSRF, RCE, SQLi, and privilege escalation.”

wordpress bug bounty

Full details can be seen here: https://hackerone.com/wordpress?type=team&view_policy=true

The Hackerone Automattic (WordPress.com) Program


Already since April 2014 – Automattic is paying bounties for vulnerability reports affecting WordPress.com, Jetpack, VaultPress, Akismet, Gravatar, WooCommerce, Tumblr, Simplenote, and any other projects listed on Automattic.com.

According to Automattic: “Any reproducible vulnerability that affects the security of our users is likely to be in scope for the program.” 

Common examples include:

  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • Server-Side Request Forgery (SSRF)
  • Remote Code Execution (RCE)
  • SQL Injection (SQLi)


There are quite many rules when it comes to reporting the vulnerabilities, so for the full details and information please look here: https://hackerone.com/automattic?type=team&view_policy=true

Patchstack Alliance WordPress Bug Bounty (for any WordPress plugins)


Since 2021, Patchstack has started an initiative called Patchstack Alliance (formerly Red Team). The goal of the initiative is to build a community of security researchers behind the WordPress ecosystem.

Patchstack Alliance is a WordPress bug bounty platform where vulnerabilities of any WordPress plugins/themes can be reported and cash prizes are paid out each month for the top security researchers. There are guaranteed payouts every single month.

Scope:

The latest in Patchstack how-to's

Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.
crossmenu