HackerOne provides a consistent interface for reporting vulnerabilities and reduces the amount of time developers waste responding to common issues, freeing them to focus on security improvements. The HackerOne platform is used by many large organizations for vulnerability reporting, including Twitter, GitHub, and Dropbox.
HackerOne can be used to responsibly disclose serious vulnerabilities for several of the WordPress project’s software products, including WordPress itself, WP-CLI, BuddyPress, and bbPress. Third-party WordPress plugins are not included in the program.
Alongside the adoption of HackerOne for security issue reporting, WordPress has also introduced a bug bounty program with support from Automattic. Bounties will be paid for the responsible disclosure of serious vulnerabilities.
Software of any complexity has bugs in its code. If it becomes popular, hackers and criminals will attempt to find and exploit security vulnerabilities caused by those bugs. Those two facts are the cause of many of WordPress’ security problems. Only misconfiguration and mismanagement cause more issues.
Criminals exploit WordPress vulnerabilities because there’s money to be made. Every WordPress site represents server resources and an audience, both of which are valuable to criminals — and there are many millions of WordPress sites in the world, giving criminals an enormous incentive to discover vulnerabilities.
On the other side are the white hat security researchers, WordPress users, and developers, who work to discover and patch vulnerabilities before criminals find them. WordPress users and the developers who build and rely on WordPress have an obvious incentive to responsibly disclose vulnerabilities, as do security researchers whose reputations are built on their ability to protect users — Sucuri is a prominent example we’ve mentioned on this blog many times before.
But there’s also a large contingent of independent developers and researchers who have no real incentive to look for vulnerabilities or report those they do find. Some — those on the border between hacker and researcher — could make money exploiting vulnerabilities. Some might disclose the vulnerability irresponsibly, leaving developers and users to scramble to release a patch before it’s exploited. Others might sell the vulnerability to criminals.
Bug bounties are intended to give researchers a reason to do the right thing. If they find a vulnerability and disclose it responsibly, they’ll be rewarded for their contribution. Companies like Google and Facebook run huge bug bounty programs that have paid out millions of dollars because they know the cost of a data leak or exploited vulnerability could be much higher.
Responsible disclosure in this case means letting the developers know about the vulnerability with enough information to reproduce the issue and a proof of concept. It also means giving the developers a reasonable amount of time to release code that fixes the problem and for users to upgrade.