Wordfence, a well-known company in the field of cybersecurity, recently launched a new bug bounty program. This initiative aims to offer financial incentives to security researchers who report high-risk vulnerabilities to the company.
Once researchers disclose vulnerabilities to Wordfence, the company manages them and confidentially communicates them to vendors for remediation. When the fix is released, the vulnerability is included in the Wordfence public database, freely accessible, following a responsible disclosure policy.
Chloe Chamberland, security analyst at Wordfence, said: “There is no limit to the rewards an individual researcher can earn, and each relevant vulnerability received through our submission process warrants a reward."
Wordfence will reward researchers who discover vulnerabilities in plugins and themes with over 50.000 active installs. Some payment examples include:
- $1.600 for Arbitrary Unauthenticated File Upload, Remote Code Execution, Escalation of Admin Privileges, or Arbitrarily Updating Options in a plugin or theme with over one million active installs.
- $1.060 for Unauthenticated Arbitrary File Deletion in a plugin or theme with over one million active installs, assuming wp-config.php can be easily deleted.
- $800 for an unauthenticated SQL injection into a plugin or theme with over a million active installations.
- $320 for an Unauthenticated Cross-Site Scripting vulnerability in a plugin or theme with over one million active installs.
- $80 for a Cross-Site Request Forgery vulnerability in a plugin or theme with over one million active installs and significant impact.
Our Bug Bounty Program rewards are designed to have the greatest positive impact on the security of the WordPress ecosystem. Rewards are not earned by mass searching for low-impact vulnerabilities to earn a spot on a leaderboard, but are based on the number of active installations, criticality of the vulnerability, ease of exploitation, and prevalence of the vulnerability type.
The launch of Wordfence's bug bounty program clearly aims to position itself competitively, indirectly challenging Patchstack, which operates its program on a leaderboard system where only the best researchers get paid. There are some notable differences, where some awards are given at discretion, but most individual awards are for the highest score in various categories:
Patchstack guarantees a monthly prize pool of at least $2425 (the lowest possible prize pool). The Patchstack Alliance member who collects the most points for a particular month from their submitted reports will receive a reward of $650, second place will receive $350 and third place will receive $250.
There are extra rewards (single rewards) for reporting the vulnerability with the highest base score according to CVSS ver. 3.1; the highest active install count; and to report a group of components affected by the same vulnerability.
Patchstack may reward individual members of the Patchstack Alliance at its discretion based on the overall impact of the vulnerabilities they discover.
Wordfence takes a different approach to paying for each vulnerability reported within the scope identified by the program.
Researchers in the WordPress ecosystem should familiarize themselves with the various bug bounty programs and determine the best avenue for their reports. Some plugins and companies, such as Elementor, Brainstorm Force, Automattic, Castos, and WP Engine, have their own bug bounty programs, with a range of different payouts.
We pay more per vulnerability and we pay for every valid vulnerability submitted, we believe this is the only right way to proceed, as gamification of a vulnerability program is like having employees all working, but only those at the top get paid . If you submit a valid vulnerability, you should be paid for your work.
said Mark Maunder, CEO of Wordfence.
Maunder argues that the wrong incentives are lowering the quality of research submitted.
There are an extremely high number of low-risk, low-quality vulnerabilities being submitted to databases like Patchstack, Vulnerabilities involving Cross-Site Request Forgery are an example. The incentives we're seeing out there encourage researchers to generate a high volume of low-risk vulnerabilities to get rewarded. These high numbers are then used to market security products.
Maunder said Wordfence structured its program to shift incentives toward finding high-risk vulnerabilities, rather than boosting marketing metrics for a particular vulnerability database.
A high volume of low-risk vulnerabilities in any particular database hurts the industry because it creates work for other organizations that need to integrate this data, but for the most part it is just useless noise that we are forced to sift through, rather than posing a risk real for the user community
As a new entry into the group of WordPress companies offering bug bounties, Wordfence enters the market with the intention of attracting more reports through additional bonuses (10% for the first 6 months) and a bonus structure that rewards chaining multiple vulnerabilities together , thorough documentation and other extra efforts.
Not every author of a popular plugin or theme can afford to offer their own bug bounty program, and this is where security companies step in to fill the gaps. More competition between companies for high-quality research can only be a good thing for WordPress users, as it provides more incentives for ecosystem security and will potentially attract more qualified researchers. Bug bounty programs will likely evolve over time as companies refine them to provide the best value for original research.