Aaron D. Campbell, WordPress Core Contributor at GoDaddy, is replacing Nikolay Bachiyski as WordPress’ Security Czar or WordPress Core Security Team Lead. The role was created in 2015 to provide more structure and focus around incident responses.
According to Campbell, “The responsibilities of the position include, organizing the security team and making sure all security concerns and reports get triaged and ultimately fixed, coordinating the security side of releases, and being a point of contact for any security related things that need one.”
Matt Mullenweg, co-creator of the WordPress project, thanked Bachiyski for being the first to accept the role and putting the foundation in place for future team leads, “This is also a good time to thank the dozens of volunteers who participate in the security group, and the researchers and reporters who bring issues to our attention,” he said.
Campbell says he plans to finish what Nikolay started by getting WordPress.org onto HackerOne, “Nikolay did a lot of work around expanding our team as well as getting the foundation laid for moving over to HackerOne,” he said.
“We aren’t quite ready to make the move completely, but I hope to phase out the security@ E-Mail address in favor of HackerOne in the near future.”
In late 2016, GoDaddy hired Campbell to contribute to WordPress core full-time. The company continues to back his involvement in WordPress, “The role is completely voluntary,” Campbell said. “GoDaddy has truly been extremely hands off while funding me to do all this, and I’m grateful to have that continue.”
If you think you’ve discovered a security vulnerability with the self-hosted version of WordPress, you’re encouraged to responsibly disclose it to the security team by emailing security @ wordpress.org and include as much detail as possible.