Rewarding Vulnerability Finders

We don’t. We’re 100% volunteer driven, so when you tell us a pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the Plugin Directory or can be cost-based plugin from a third-party has a vulnerability, you don’t get anything more than a thank you and our undying affection. Yes, even if you’re that person who sent 45 reports one day.

But. If you’re a bigger than average plugin (say Derpack size) this isn’t a really great way to find out about vulnerabilities. You’d really like it people could report these securely and in a way that would make them inspired to help more. You know. Money.

Enter HackerOne – a free service.

Here’s how it works in a nutshell. You make an account and tell people what you’re looking for. For example, the WP APIAPI An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways.. Their profile explains the scope (WP 3.9 and up) and they list (with links) everything related.

If someone finds a security hole in the WP-API, they can log into the site and fill in a form explaining what the hack is, how to exploit it, and so on. The developers will review the report and, if they determines it’s valid, pay for the report.

Some pages list how much the payout is, some don’t.

You can search right now for ‘wordpress‘ in the directory and there are a handful of WP companies and individuals listed already. Hi, Automattic! Fancy seeing you here.

If you’re a WordPress plugin or theme company, this could be a great way to get the community in on helping you plug those security holes.