Rewarding Vulnerability Finders

We don’t. We’re 100% volunteer driven, so when you tell us a plugin has a vulnerability, you don’t get anything more than a thank you and our undying affection. Yes, even if you’re that person who sent 45 reports one day.

But. If you’re a bigger than average plugin (say Derpack size) this isn’t a really great way to find out about vulnerabilities. You’d really like it people could report these securely and in a way that would make them inspired to help more. You know. Money.

Enter HackerOne – a free service.

Here’s how it works in a nutshell. You make an account and tell people what you’re looking for. For example, the WP API. Their profile explains the scope (WP 3.9 and up) and they list (with links) everything related.

If someone finds a security hole in the WP-API, they can log into the site and fill in a form explaining what the hack is, how to exploit it, and so on. The developers will review the report and, if they determines it’s valid, pay for the report.

Some pages list how much the payout is, some don’t.

You can search right now for ‘wordpress‘ in the directory and there are a handful of WP companies and individuals listed already. Hi, Automattic! Fancy seeing you here.

If you’re a WordPress plugin or theme company, this could be a great way to get the community in on helping you plug those security holes.