WordPress Introduces Bug Bounty Program via HackerOne

WordPress has joined hands with the HackerOne and now inviting white hats to dig into its various platforms and start hunting bugs. WordPress being the largest self-hosted content management tool powers 28% of the top ten million sites. Being an open source platform, its security is becoming the utmost attention and priority to its security team. The team officially announced its public profile on HackerOne.

HackerOne is the first ever vulnerability coordination and bug bounty platform for responsibly disclosing critical security issues. This platform empowers companies to work with the largest friendly hacker community for surfacing their vulnerabilities. It provides tools to:

  • Effectively communicate with security researchers
  • Organize teams
  • Process the reports
  • Automate the responses and simple bounty payments

With the announcement of the WordPress HackerOne program, this project also introduced the bug bounties to reward the reporters for disclosing critical vulnerabilities. Aaron Campbell – Security Team Lead at WordPress said that his team awarded more than $3,700 in bounties to seven different reporters. These bounty payouts are being sponsored by Automattic on behalf of the WordPress project.

The program and bounties cover WordPress, BuddyPress, bbPress, GlotPress, WP-CLI along with their respective websites:


These bounties will only be awarded to the first reporter of a vulnerability. Qualifying vulnerabilities include:

  1. Cross Site Scripting (XSS)
  2. Cross Site Request Forgery (CSRF)
  3. Server Side Request Forgery (SSRF)
  4. Remote Code Execution (RCE)
  5. SQL Injection (SQLi)

In a Q/A session with HackerOne team, Campbell also hoped to accomplish this project in the near future by incorporating popular WordPress Themes and Plugins as part of this program.

User Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

    Get in Touch