WordPress now has its own official HackerOne account where security researchers can responsibly disclose vulnerabilities to the security team. The project’s page was previously listed under Automattic’s profile before HackerOne launched its free community edition for open source projects. WordPress has now transitioned to its own account, which also includes sister projects BuddyPress, bbPress, GlotPress, and WP-CLI, along with all of their respective websites.
The WordPress Security team launched its HackerOne profile privately at first and had been inviting reporters to use it when they reported security issues via email. Having the profile public makes it possible for the team to work together on triaging the issues that are submitted. WordPress Security Czar Aaaron Campbell said the new system will reduce the time spent on responding to commonly reported issues, allowing the team to spend its time more effectively.
“We have about 40 people with access to triage reports, although, like most volunteer groups, not everyone is usually triaging at the same time,” Campbell said.
The project also launched bug bounties to reward reporters for responsibly disclosing security issues and Campbell said the team has awarded more than $3,700 in bounties to seven different reporters.
“So far bounties have ranged from $150 to $1,337,” Campbell said. “Anything that qualifies for a cash bounty will be $150+. We have a few swag bounties (hoodies) for really small things that will be going out soon as well (finishing getting everything set up with the swag store to do this now).”
Campbell confirmed that $1,337 is not the upper limit of the bounties and that there are bugs that could qualify for larger bounties.
“Bounties are calculated based on bug severity, the product or site it’s on (WordPress core being weighted more heavily than say the swag store), and also the quality of the report,” Campbell said. Automattic is sponsoring the bounty payouts on behalf of the WordPress project.