This article focuses on how to report WordPress vulnerabilities and what kind of different WordPress bug bounty programs there are.
Bug bounty platforms and programs are great for crowdsourcing security research for software.
Traditionally, software vendors use bug bounty platforms to attract security researchers to find vulnerabilities in their software, and in return, the vendor will pay out cash prizes for new valid reports.
WordPress is a massive ecosystem and new vulnerabilities are found almost every day.
To date, there are three main ways to earn cash prizes when reporting new security vulnerabilities found in WordPress core, plugins, and themes.
Launched in July 2016, WordPress.org started accepting vulnerability reports through the Hackerone platform for vulnerabilities found WordPress core, Gutenberg, WP-CLI, BuddyPress, bbPress, GlotPress, and WordCamp.org.
According to the policy page at Hackerone: “Any reproducible vulnerability that has a severe effect on the security or privacy of our users is likely to be in scope for the program. Common examples include XSS, CSRF, SSRF, RCE, SQLi, and privilege escalation.”
Full details can be seen here: https://hackerone.com/wordpress?type=team&view_policy=true
Already since April 2014 – Automattic is paying bounties for vulnerability reports affecting WordPress.com, Jetpack, VaultPress, Akismet, Gravatar, WooCommerce, Tumblr, Simplenote, and any other projects listed on Automattic.com.
According to Automattic: “Any reproducible vulnerability that affects the security of our users is likely to be in scope for the program.”
Common examples include:
There are quite many rules when it comes to reporting the vulnerabilities, so for the full details and information please look here: https://hackerone.com/automattic?type=team&view_policy=true
Since 2021, Patchstack has started an initiative called Patchstack Red Team. The goal of the initiative is to build a community of security researchers behind the WordPress ecosystem.
Patchstack is a WordPress bug bounty platform where vulnerabilities of any WordPress plugins/themes can be reported and cash prizes are paid out each month for the top security researchers. There are guaranteed payouts every single month.
PS! Patchstack is also paying out a $50 USD reward for all the newcomers who report a new and valid security vulnerability to the Patchstack WordPress bug bounty program for the first time.
You can read about it more here: https://patchstack.com/earn-50-and-get-invitation-to-the-patchstack-red-team/