WordPress officially launched the WordPress bug bounty program on HackerOne May 15 of this year, almost six months ago. The goal was to leverage the tools HackerOne provides to improve the quality and consistency of our communication with reporters, and to reduce the time spent on responding to commonly reported issues in order to free our team to focus more time on improving the security of WordPress as well as our sites and other properties.
Success
Since that launch, we have paid out approximately $14,000 in bounties for thirty-nine unique reports – an average of more than $350 for each valid report – from twenty-two different hackers (researchers). This part is exciting! People are helping keep WordPress secure.
Struggles
It's amazing that we've been able to resolve these valid reports (not all were eligible for bounties, some were sent swag as a thank you), but there's more to the story. Those valid reports only account for roughly 16% of the overall reports. About five out of every six reports are invalid. These invalid reports still take time to process, test, etc.
Time is always valuable, but when working with a volunteer team it can feel even more so. Dealing regularly with invalid reports not only consumes a lot of time, but can also feel extremely useless – like a lot of work for no reason. We need to continue to focus on improving this process, but I'm extremely thankful to the people on the team that work to triage on HackerOne for us.
What Now
I would say that the program has been a success so far, so we want to continue it. We are actively working to address the biggest struggle we face, which are the invalid reports that take up so much time without yielding useful results. HackerOne offers some tools that we're trying to leverage to help.
- Common responses – building up a repertoire of useful responses that can be easily sent to reporters takes time. We hope this will pay off in future time savings, as we no longer have to write the same basic response over and over.
- Triggers – these allow us to automatically show one (or more) of our common responses to reporters as "Are you sure?" interstitials, based upon key words in the report. Adding some of these has helped and we hope to build a good collection of them as we go.
- Reputation – HackerOne has both a reputation and a signal rating for all users. We can limit the ability to submit reports to only hackers with a minimum signal. There is a balance here. We don't want to miss out on valid reports, but we do want to reduce the noise.
We are also working with HackerOne to find other ways to might be able to improve our processes. Stay tuned!