HackerOne opens possibilities for WordPress vulnerability hunting

HackerOne is a popular platform for vulnerability hunting and disclosure, built on a bounty system for properly disclosed software issues. As Aaron Campbell notes on the WordPress blog, “It provides tools that improve the quality and consistency of communication with reporters, and will reduce the time spent on responding to commonly reported issues. This frees our team to spend more time working on improving the security of WordPress.”

The WordPress page on HackerOne offers guidelines and areas of interest for disclosures. Interestingly, it also highlights areas they are not interested in:

Any reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:

  • Cross Site Scripting (XSS)
  • Cross Site Request Forgery (CSRF)
  • Server Side Request Forgery (SSRF)
  • Remote Code Execution (RCE)
  • SQL Injection (SQLi)

We generally aren’t interested in the following problems:

If you think you found an exception, please, let us know.

I’m really happy to see the WordPress project embrace HackerOne, as it’s pretty standard practice for a lot of software projects and large organizations. I think it will also help with researchers who are already accustomed to such a system, versus the sometimes confusing process around emailing the security@wordpress.org address and previous processes around that.

Aaron notes that during the test phase of the HackerOne listing, they’ve already, “awarded more than $3,700 in bounties to seven different reporters.” Confusingly, Automattic has paid out the awards. To me — while I’m thankful Automattic stepped up to cover those costs — it is a perfect opportunity for the WordPress Foundation to play a role.

I’d love to see a more formal fundraising effort around security and this bounty system, funded by the community and managed through the foundation. Perhaps that’s something that can be addressed in the future. While it’s nice for Automattic to foot the bill, I think the separation of concerns would be good for everyone, especially on security issues that are so relevant to the entire community.

Similar Posts