Wordfence launched a bug bounty program today to provide financial incentive for security researchers reporting high risk vulnerabilities to the company’s program.
After researchers disclose vulnerabilities to Wordfence, the company triages them and confidentially discloses them to the vendors to fix. When the fix is released, the vulnerability will be included in Wordfence’s public database, which is free to access, following a responsible disclosure policy.
“There is no cap on the rewards an individual researcher can earn, and every single in-scope vulnerability received via our submissions process earns a reward bounty,” Wordfence security analyst Chloe Chamberland said.
Wordfence will reward researchers who discover vulnerabilities in plugins and themes with 50,000+ active installations. A few examples of the payouts include the following:
- $1,600 for an Unauthenticated Arbitrary File Upload, a Remote Code Execution, a Privilege Escalation to Admin, or an Arbitrary Options Update in a plugin or theme with over one million active installations.
- $1,060 for an Unauthenticated Arbitrary File Deletion in a plugin or theme with over one million active installations, assuming wp-config.php can easily be deleted.
- $800 for an Unauthenticated SQL Injection in a plugin or theme with over one million active installations.
- $320 for an Unauthenticated Cross-Site Scripting vulnerability in a plugin or theme with over one million active installations.
- $80 for a Cross-Site Request Forgery vulnerability in a plugin or theme with over one million active installations, and a significant impact.
“Our Bug Bounty Program has been designed to have the greatest positive impact on the security of the WordPress ecosystem,” Chamberland said. “Rewards are not earned by bulk hunting for vulnerabilities with minimal impact and earning a place on a leaderboard, but rather, they are based on active install counts, the criticality of the vulnerability, the ease of exploitation, and the prevalence of the vulnerability type.”
Wordfence’s bug bounty program launch was clearly vying for competitive positioning by indirectly calling out Patchstack, which operates its program on a leaderboard system where only the top researchers get paid. There are a few notable differences, where some bounties are awarded by discretion but most individual bounties are for the highest score in various categories:
Patchstack guarantees a monthly prize pool of at least $2425 (the lowest possible prize pool). Patchstack Alliance member who will collect the most points for a particular month from their submitted reports will get the $650 bounty, the second place will get $350 and the third will get $250.
We have extra bounties (single bounties) for reporting the vulnerability with the highest CVSS ver. 3.1 base score; the highest active install count; and for reporting a group of components affected by the same vulnerability.
Patchstack can reward individual Patchstack Alliance members at their discretion based on the overall impact of the vulnerabilities they discover.
Wordfence is taking a different approach in paying for every vulnerability reported within the scope identified by the program.
Researchers in the WordPress ecosystem should familiarize themselves with the various bug bounty programs and determine the best avenue for their disclosures. Some plugins and companies, such as Elementor, Brainstorm Force, Automattic, Castos, and WP Engine, have their own bug bounty programs, with a range of different payouts.
“We pay more per vulnerability and we pay for every valid vulnerability submitted,” Wordfence CEO Mark Maunder said. “We feel this is the only fair way to do it because gamification of a vulnerability program is like having employees who all work, but only those at the top of the leaderboard get paid. If you submit a valid vulnerability, you should get paid for your work.”
Maunder contends that the wrong incentives are driving down the quality of the research submitted.
“There are an extremely high number of low risk and low quality vulnerabilities being submitted to databases like Patchstack,” he said. “Vulnerabilities that involve a Cross-Site Request Forgery are an example of this. The incentives we are seeing out there encourage researchers to generate a a high volume of low risk vulnerabilities to get rewarded. These high numbers are then used to market security products.”
Maunder said Wordfence has structured its program around shifting the incentives to reward research into high risk vulnerabilities, instead of ramping up the marketing metrics for a particular vulnerability database.
“A high volume of low risk vulnerabilities in any particular database harms the industry because it creates work for other organizations who have to integrate this data, but for the most part it is useless noise that we are forced to sift through, rather than representing any real-world risk to the user community,” Maunder said.
Patchstack CEO Oliver Sild responded to these claims with data he says demonstrates that Wordfence is also responsible for producing a high volume of low risk vulnerability CVE’s.
“WordFence as a CNA actually produces lower risk vulnerability CVE’s in average compared to all 3 CNA’s in the WordPress space,” Sild said.
CVE’s with CVSS equal or higher than 5 (2023)
- Patchstack: 91.39%
- WPscan: 77.89%
- WordFence: 72.52%
CVE’s with CVSS equal or higher than 7 (2023)
- Patchstack: 49.76%
- WordFence: 34.53%
- WPscan: 20.92%
CVE’s with CVSS equal or higher than 8 (2023)
- Patchstack: 30.02%
- WordFence: 24.90%
- WPscan: 12.05%
CVE’s with CVSS equal or higher than 9 (2023)
- WordFence: 9.37%
- WPscan: 4.60%
- Patchstack: 2.42%
“WordFence does indeed on average assign highest % of CVSS 9+ CVE’s (though, they are also the smallest CNA of all three), but the high CVSS alone doesn’t determine wether the vulnerability will become exploited and the reality is that vulnerabilities that are being actively exploited in the WordPress ecosystem often have lower CVSS scores,” Sild said.
“Also, keep in mind that we at Patchstack have almost 2x higher volume of new vulnerability reports coming in (more than WPscan and WordFence combined), so obviously this also lowers the average for us on the edge scores.”
As the newcomer to the group of WordPress companies offering bug bounties, Wordfence is entering the market with the intention of attracting more reports through additional bonuses (10% for the first 6 months) and a bonus structure that rewards chaining multiple vulnerabilities together, thorough documentation, and other extra efforts.
Not every author of a popular plugin or theme can afford to offer their own bug bounty program, and this is where security companies are stepping in to fill in the gaps. More competition across companies for high quality research can only be good for WordPress users, as it provides more incentive for securing the ecosystem and will potentially attract more skilled researchers. The bug bounty programs will likely evolve over time as companies refine them to provide the best value for original research.