Today, WordPress.org announced that with the latest update (being pushed out now) they will be officially on HackerOne! You can read the entire article online here.
What is HackerOne?
In a nutshell, it’s a platform for hackers and pen testers to proactively report vulnerabilities to the core team. It helps by providing the necessary tools to help improve and standardize the way new security threats are reported and handled. This is a big step in the right direction.
One of the big benefits of this type of system is that the amount of time necessary to report, confirm, fix and publish will be much less than previously required. These new processes will help secure the online community dramatically. It’s currently estimated that over 30% of the websites online are now running a version of WordPress.
This has been in the works for over a year. Tests were conducted on a private (invite only) internal system and the results were amazing.
Today it’s being rolled out to everyone!
What does this really mean? Well, if things go as planned, it will mean that the response time to patching vulnerabilities will be decreased meaning we all will be running more secure websites.
Does this mean I don’t have to worry?
Unfortunately not. Unless you run your website with zero plugins or widgets outside of the core files, then you risk injecting foreign code that can compromise the entire website.
If your website has been hacked in the past or you are currently dealing with a hacker, this is a big deal. This is where “less is more”… as in, the less 3rd party apps, plugins and widgets you add, the more secure your website will be.
Why would a hacker disclose a vulnerability?
With this new HackerOne program, they are now introducing bug bounties. These bug bounties provide money to those who disclose them. Let’s be honest, when there is money on the table, it becomes easier to part with.
The program and bounties cover all our the WordPress applications including WordPress, BuddyPress, bbPress, GlotPress, and WP-CLI as well as all of their websites including WordPress.org, bbPress.org, WordCamp.org, BuddyPress.org, and GlotPress.org.
Hopefully this will encourage more disclosure and help the developers provide a more secure application for everyone.