WordPress (CMS) has grown a lot over the last thirteen years – it now powers more than 28% of the top ten million sites on the web. WordPress has been operating a private bug bounty program for several months.
The WordPress Security Team published that WordPress is now officially on HackerOne. HackerOne is a vulnerability coordination and bug bounty platform that connects businesses with cybersecurity researchers.
The program covers all the projects including WordPress, BuddyPress, bbPress, GlotPress, and WP-CLI as well as all of the websites including WordPress.org, bbPress.org, WordCamp.org, BuddyPress.org, and GlotPress.org.
The program is interested in reports about security issues like XSS, CSRF, SSRF, SQLi, RCE, and other flaws that affect the security of users.
The bug bounty program generally isn’t interested in the following problems:
– Plugins Security issues.
– Reports about hacked websites.
– Disclosure of user IDs.
– Open API endpoints serving public data.
– Path disclosures for errors, warnings, or notices.
– disclosure of version number.
– Mixed content warnings for passive assets like images and videos.
– Missing HTTP security headers (CSP, X-XSS, etc.)
– Brute force, DDoS, phishing, text injection, or social engineering attacks.
– Any vulnerability with a CVSS 3 score lower than 4.0, unless it can be combined with other security vulnerability to gain a higher score.
– Reports from automatic scanners.
We hope that after the program has been officially public, it will help security researchers to report security issues quickly.