Mika Epstein posted a recommendation on Make WordPress Plugins for authors who make money from plugins to utilize a service like HackerOne to help identify and fix vulnerabilities in their plugins.
The WordPress tag on HackerOne — which is a free directory for rewarding “white hat” hackers who find and disclose vulnerabilities — already has some companies listed.
If someone finds a security hole in the WP-API, they can log into the site and fill in a form explaining what the hack is, how to exploit it, and so on. The developers will review the report and, if they determines it’s valid, pay for the report.
…
If you’re a WordPress plugin or theme company, this could be a great way to get the community in on helping you plug those security holes.
I completely agree with Mika. HackerOne is a great service with not too much potential downside, as the listing itself is free. One commenter, J.D. Grimes, notes that the only downside from his experience listing his plugins is that he gets a relatively high rate of false positives, but still considers it quite worthwhile.
