We are excited to share some updates on our Bug Bounty Program today! It has been over six months since the launch of our program, during which we’ve awarded approximately $242,000 in bounties. Since then, our team has triaged around 2,140 vulnerability submissions, with about 1,320 deemed in-scope.
Together with our researchers and software vendors, we’ve protected millions of websites from vulnerabilities – and this is just the beginning.
We’re continuously developing and enhancing our program and tools to support the increasing volume of submissions from our researchers. Our critical mission is to provide the best possible experience and opportunities for bug bounty hunting in WordPress, aligning with our overarching goal to Secure the Web. Excitingly, we’ve just rolled out some significant updates:
Redesigned Bug Bounty Program Overview Page: We’ve completely revamped the overview page to streamline information access and simplify the onboarding process for researchers.
New Achievable Researcher Tier: We’ve added a new tier that expands the scope for researchers who have proven their ability to contribute positively to the WordPress ecosystem.
Published Bounty Estimator: For greater transparency, we’ve published the bounty estimator we use internally. This tool helps researchers understand potential rewards, enabling them to better allocate their efforts.
New ‘Submitted XX Vulnerabilities’ Achievement Badges: Researchers can now earn additional badges as they reach new milestones in vulnerability submissions.
We are not just aiming to enhance WordPress security, but to revolutionize the Bug Bounty landscape within the WordPress community. Continue reading to learn more about these exciting enhancements!
Redesigned Bug Bounty Program Overview
Feedback indicated that our previous overview was cumbersome and laden with legal jargon. The new design consolidates all necessary information into a single page with easy tab navigation, removing barriers and encouraging quicker start times for researchers eager to discover vulnerabilities in WordPress.
You can view all of these updates in our Bug Bounty Program Overview.
Introducing the Resourceful Researcher Tier
Recognizing the significant leap from our standard tier to the elite 1337 tier, we’ve introduced the ‘Resourceful Researcher’ tier. This new tier, with a lower barrier to entry and a broader scope, enables researchers to focus more on hunting impactful vulnerabilities. This tier is unlocked for those who submit at least one “critical” vulnerability or three “high severity” vulnerabilities without exceeding five false positive reports. In-scope targets include the 15,000 to 50,000 active installations range —a roughly 94% increase in the number of eligible plugins in the WordPress repository.
You can view all of these updates in our Bug Bounty Program Overview.
Introducing the Bounty Estimator
Understanding the potential rewards can be challenging for researchers when left with vague information. By making our internal bounty estimator public, we aim to clarify the possible earnings from submissions, helping researchers prioritize their efforts for maximum return.
You can view all of these updates in our Bug Bounty Program Overview.
New Achievement Badges
To recognize our most prolific contributors, we’ve expanded our range of achievement badges up to 750 submitted vulnerabilities, ensuring that top researchers are adequately acknowledged for their efforts.
You can view all of these updates in our Bug Bounty Program Overview.
What’s Next? $10,000 Bounties Are Here to Stay.
Our bug bounty extravaganza is coming to a close this month on May 27th. We’ve decided to permanently increase our bounties effective May 28th so that our top rewards are $10,000+. Other adjustments will be made to continue rewarding impactful research while sustaining the program long term. We’d like to continue the success we’ve seen over the last 6 months, while also continuing to drive more research towards high impact vulnerabilities.
Next, we plan to enhance our researchers’ experience with a seamless new dashboard for managing submissions. Following that, our focus will shift towards vendors to streamline the vulnerability disclosure process.
In closing, we extend a huge thank you to our researchers who dedicate their time to improving the WordPress ecosystem, to the vendors who swiftly implement patches, and to the WordPress.org security team for their invaluable support. Together, we are making the web a safer place.
Stay tuned for more exciting developments with our Bug Bounty Program! We’re just getting started.
The post Revolutionizing WordPress Bug Bounty and Security: Latest Enhancements to the Wordfence Bug Bounty Program appeared first on Wordfence.