Wordfence Launches Bug Bounty Program – WP Tavern
Wordfence launched a bug bounty program right this moment to offer monetary incentive for safety researchers reporting excessive danger vulnerabilities to the corporate’s program.
After researchers disclose vulnerabilities to Wordfence, the corporate triages them and confidentially discloses them to the distributors to repair. When the repair is launched, the vulnerability will likely be included in Wordfence’s public database, which is free to entry, following a accountable disclosure coverage.
“There is no such thing as a cap on the rewards a person researcher can earn, and each single in-scope vulnerability obtained by way of our submissions course of earns a reward bounty,” Wordfence safety analyst Chloe Chamberland stated.
Wordfence will reward researchers who uncover vulnerabilities in plugins and themes with 50,000+ energetic installations. Just a few examples of the payouts embrace the next:
- $1,600 for an Unauthenticated Arbitrary File Add, a Distant Code Execution, a Privilege Escalation to Admin, or an Arbitrary Choices Replace in a plugin or theme with over a million energetic installations.
- $1,060 for an Unauthenticated Arbitrary File Deletion in a plugin or theme with over a million energetic installations, assuming wp-config.php can simply be deleted.
- $800 for an Unauthenticated SQL Injection in a plugin or theme with over a million energetic installations.
- $320 for an Unauthenticated Cross-Website Scripting vulnerability in a plugin or theme with over a million energetic installations.
- $80 for a Cross-Website Request Forgery vulnerability in a plugin or theme with over a million energetic installations, and a big influence.
“Our Bug Bounty Program has been designed to have the best constructive influence on the safety of the WordPress ecosystem,” Chamberland stated. “Rewards usually are not earned by bulk trying to find vulnerabilities with minimal influence and incomes a spot on a leaderboard, however moderately, they’re primarily based on energetic set up counts, the criticality of the vulnerability, the benefit of exploitation, and the prevalence of the vulnerability sort.”
Wordfence’s bug bounty program launch was clearly vying for aggressive positioning by not directly calling out Patchstack, which operates its program on a leaderboard system the place solely the highest researchers receives a commission. There are a number of notable variations, the place some bounties are awarded by discretion however most particular person bounties are for the best rating in numerous classes:
Patchstack ensures a month-to-month prize pool of at the least $2425 (the bottom doable prize pool). Patchstack Alliance member who will accumulate essentially the most factors for a selected month from their submitted experiences will get the $650 bounty, the second place will get $350 and the third will get $250.
We now have further bounties (single bounties) for reporting the vulnerability with the best CVSS ver. 3.1 base rating; the best energetic set up depend; and for reporting a gaggle of parts affected by the identical vulnerability.
Patchstack can reward particular person Patchstack Alliance members at their discretion primarily based on the general influence of the vulnerabilities they uncover.
Wordfence is taking a special strategy in paying for each vulnerability reported inside the scope recognized by this system.
Researchers within the WordPress ecosystem ought to familiarize themselves with the varied bug bounty packages and decide the very best avenue for his or her disclosures. Some plugins and firms, corresponding to Elementor, Brainstorm Force, Automattic, Castos, and WP Engine, have their very own bug bounty packages, with a spread of various payouts.
“We pay extra per vulnerability and we pay for each legitimate vulnerability submitted,” Wordfence CEO Mark Maunder stated. “We really feel that is the one honest option to do it as a result of gamification of a vulnerability program is like having workers who all work, however solely these on the high of the leaderboard receives a commission. In case you submit a sound vulnerability, you must receives a commission to your work.”
Maunder contends that the unsuitable incentives are driving down the standard of the analysis submitted.
“There are an especially excessive variety of low danger and low high quality vulnerabilities being submitted to databases like Patchstack,” he stated. “Vulnerabilities that contain a Cross-Website Request Forgery are an instance of this. The incentives we’re seeing on the market encourage researchers to generate a a excessive quantity of low danger vulnerabilities to get rewarded. These excessive numbers are then used to market safety merchandise.”
Maunder stated Wordfence has structured its program round shifting the incentives to reward analysis into excessive danger vulnerabilities, as an alternative of ramping up the advertising and marketing metrics for a selected vulnerability database.
“A excessive quantity of low danger vulnerabilities in any explicit database harms the business as a result of it creates work for different organizations who should combine this knowledge, however for essentially the most half it’s ineffective noise that we’re compelled to sift by means of, moderately than representing any real-world danger to the consumer group,” Maunder stated.
Because the newcomer to the group of WordPress corporations providing bug bounties, Wordfence is getting into the market with the intention of attracting extra experiences by means of extra bonuses (10% for the primary 6 months) and a bonus construction that rewards chaining a number of vulnerabilities collectively, thorough documentation, and different further efforts.
Not each creator of a well-liked plugin or theme can afford to supply their very own bug bounty program, and that is the place safety corporations are stepping in to fill within the gaps. Extra competitors throughout corporations for prime quality analysis can solely be good for WordPress customers, because it offers extra incentive for securing the ecosystem and can doubtlessly appeal to extra expert researchers. The bug bounty packages will seemingly evolve over time as corporations refine them to offer the very best worth for authentic analysis.