WordPress is the engine for more than a quarter of the most popular public websites on the internet. This blog, in fact, is powered by WordPress. Yesterday, WordPress officially announced their public bug bounty program on HackerOne.
To celebrate and give you a chance to learn more about WordPress and their approach to bug bounties and security, we recently caught up with Aaron Campbell, Security Team Lead at WordPress. See the full Q&A below:
Q: Please introduce yourself and what you do for WordPress.
I’m Aaron Campbell and I’m the WordPress Security Team Lead.
Q: Tell me a bit about WordPress and why security is so important to your project?
WordPress is open source software you can use to create a beautiful website, blog, or app. It’s the largest self-hosted content management tool in the world, powering more than 27% of the top ten million sites on the web. Keeping all those sites secure makes a better Internet for everyone.
Q: Why did you decide to launch a bug bounty program? Why are you working with hackers to improve your security?
Being an open source platform, WordPress has long understood the benefits of many people working together. One person will see things that another person will not. Extending the group of people working to make WordPress more secure just makes sense, and rewarding them for their hard work and responsible reporting lets them know they’re appreciated.
Q: What tips do you have for companies first starting out with a bug bounty program?
Be sure to prioritize. There are likely to be times, especially right after launch, where there are simply more issues than you or your team can handle at once. But you don’t have to deal with them in order. Take into account how many of your users might be affected, what the worst case scenario is for them, and how likely it is that they could be affected. Then handle the most important first, not the oldest.
Additionally, make sure your program scope and exceptions are very clear to reporters. Take the time to learn about all the features HackerOne provides for triaging reports – automated triggers, common responses, signal requirements, etc – as they can save you a lot of time, especially during the initial flood of reports.
Q: You recently transitioned from a private to public program, can you talk about the internal decision to go that route and how it’s been since the public launch?
From the start, the plan has been for this to be public. The purpose of the private program was to give the WordPress Security Team time to get a handle on the system and develop processes around it.
Even with that preparation, the public launch was hectic. The increase in volume of reports was drastic as expected, but also our team really hadn’t had to process any invalid reports before moving the program public. The dynamics of the Hacker Reputation system really came into play for the first time, and it was really interesting to figure out how to best work within it.
Q: Tell us a bit about the hackers you are working with? Did anything impress you about them? How did you select them?
When the program was private, when a hacker would report an issue through our existing system we would invite them to join our HackerOne. After making the program public, hackers have self selected. WordPress is an interesting target – it’s well known, open source, and quite pervasive – and it seems hackers are attracted to that.
The vast majority of hackers our team has worked with on HackerOne have been great. The quality of the reports has been especially good. There aren’t a lot of things more frustrating than spending a bunch of time trying to reproduce an issue because details were missing from the report or steps weren’t given.
Q: How does your bug bounty program supplement the work you and your security team does?
More eyes means fewer issues missed. It’s really that simple. Our security team is great and they do a lot, but it’s fantastic to have other hackers help us find the things we may have missed.
Q: Where do you see your bug bounty program evolving to in the future? What goals do you have, what do you want to strive for from a security perspective?
The goal is simple – keep all WordPress users secure. One of the things that might help accomplish this in the future is to include popular WordPress plugins or themes in our program.
Q: What would you tell a friend who came to you for advice on why they should start a bug bounty program at their company?
The short answer is “absolutely”. It’s important to catch and fix security issues. It’s good for your company as well as your users. But the truth is, that’s not enough. You also need to make sure that you have your developers understand good security practices and are implementing them from the very start. Never having a vulnerability in the first place, will always be better than fixing it later.
Q: Okay - so we have to ask this, please give us all the juicy details ;) - Why did you choose HackerOne as your bug bounty platform provider?
HackerOne has a great base of hackers already on the platform, which is a big benefit. Add to that the tools for processing the reports, automated responses, simple bounty payments, and more, and the choice was pretty easy.
Get your hacking shoes on and run on over to https://hackerone.com/wordpress/ now!
ps - Inspired by Aaron and WordPress and want to launch your own bug bounty program? Start a conversation with us today.
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.