Wordfence Launches Bug Bounty Program to Fund WordPress Security Research and Showcase Researchers
Wordfence, a leading provider of WordPress security solutions, has announced the launch of its bug bounty program. The program aims to incentivize security researchers to report high-risk vulnerabilities and contribute to the overall security of the WordPress ecosystem.
Under the bug bounty program, researchers are encouraged to disclose vulnerabilities to Wordfence. The company then triages the vulnerabilities and confidentially discloses them to the vendors for fixing. Once the fix is released, the vulnerability is included in Wordfence’s public database, which is freely accessible following a responsible disclosure policy.
Chloe Chamberland, a security analyst at Wordfence, stated that there is no cap on the rewards an individual researcher can earn. Every in-scope vulnerability received through the submissions process earns a reward bounty. The rewards are based on active install counts, the criticality of the vulnerability, the ease of exploitation, and the prevalence of the vulnerability type.
The bug bounty program offers various payouts for vulnerabilities discovered in plugins and themes with 50,000+ active installations. For example, researchers can earn $1,600 for discovering an Unauthenticated Arbitrary File Upload, Remote Code Execution, Privilege Escalation to Admin, or Arbitrary Options Update in a plugin or theme with over one million active installations. Other payouts include $1,060 for an Unauthenticated Arbitrary File Deletion, $800 for an Unauthenticated SQL Injection, $320 for an Unauthenticated Cross-Site Scripting vulnerability, and $80 for a Cross-Site Request Forgery vulnerability with a significant impact.
Wordfence’s bug bounty program differentiates itself from competitors like Patchstack by paying for every vulnerability reported within the program’s scope. Patchstack operates its program on a leaderboard system where only the top researchers get paid. Wordfence CEO Mark Maunder believes that paying for every valid vulnerability is the fair way to do it, as it ensures researchers are rewarded for their work.
Maunder also argues that the wrong incentives are driving down the quality of research submitted to vulnerability databases like Patchstack. He claims that there is a high volume of low-risk vulnerabilities being submitted, which creates unnecessary work for organizations and does not represent any real-world risk to users. Wordfence’s bug bounty program aims to shift the incentives towards rewarding research into high-risk vulnerabilities.
In addition to Wordfence’s bug bounty program, there are other bug bounty programs available in the WordPress ecosystem. Companies like Elementor, Brainstorm Force, Automattic, Castos, and WP Engine have their own bug bounty programs with different payout structures. These programs provide more incentive for securing the WordPress ecosystem and attract skilled researchers.
Wordfence’s entry into the bug bounty market is expected to attract more reports through additional bonuses and a bonus structure that rewards chaining multiple vulnerabilities together, thorough documentation, and other extra efforts. The competition among companies for high-quality research will ultimately benefit WordPress users by improving the overall security of the platform.
As the bug bounty programs evolve over time, companies will refine them to provide the best value for original research. The goal is to create a secure WordPress ecosystem that protects users from potential threats and vulnerabilities. With the launch of its bug bounty program, Wordfence is taking a proactive approach to enhance WordPress security and showcase the valuable contributions of security researchers.
