Wordfence has introduced an exciting new initiative, the WordPress Superhero Challenge, as part of its ongoing Bug Bounty Program. Running until October 14th, this challenge exclusively targets plugins and themes with over 5 million active installations, a category that demands a high level of expertise due to the extensive testing these products undergo before reaching production.
Chloe Chamberland, the Threat Intelligence Lead at Wordfence, explained, “By running this challenge, we want to supercharge the amount of research going into these extremely popular products, thereby improving the security of hundreds of millions of visitors to sites with these products installed.”
Wordfence is tripling the current top bounty amounts, with the top bounty prize being an impressive $31,200. “By funding more vulnerability research than any other organization and releasing vulnerabilities to the community in a timely fashion, we further our mission of securing the Web.”, said Chloe.
Besides the bounty prize, researchers who discover and report critical or high-severity vulnerabilities in plugins or themes with 5 million+ active installs will be awarded a special “WordPress Superhero” badge, marking their exceptional contribution to WordPress security. The repository has 10 plugins with over five million active installations but no themes.
The bug bounty program excludes products of some companies, such as Google, Brainstorm Force, Automattic, and Siteground, as they have their own reward programs in place. The Wordfence website has more details about the program guidelines.
Wordfence launched the Bug Bounty Program in November 2023 to reward researchers for finding vulnerabilities and disclosing them privately. The company rewards the researchers based on active install counts, the criticality of the vulnerability, the ease of exploitation, and the prevalence of the vulnerability type and has spent over $300,000 in bounties since 2023.
WordPress, with its impressive market share of over 43% of the internet, needs researchers to make it secure. Last month, Patchstack, another popular web security name, launched Patchstack Academy and doubled its monthly competition bounties. Their Zeroday program now offers researchers bounties ranging from $150 to $14,400, depending on the access level required to exploit the reported vulnerability. Reporting vulnerabilities in plugins/themes with over 5 million installs will net researchers a bounty of $7,200 or $14,400.
With the world facing several security nightmares recently, including the Cloudstrike fiasco, it is great to see security being given more attention in the WordPress community.