WordPress Bug Bounty: Best Resources for Security Researchers

WordPress has seen amazing growth in the bug bounty space in the last couple of years. Specially thanks to Patchstack and WordFence. A lot of newcomers are getting involved in this ecosystem. I decided to note down some important links that will hopefully guide the newcomers and help them find the resources faster.

Here are some links to resources related to bug bounty in the WordPress ecosystem:

Patchstack

• Patchstack Bug Bounty Overview: https://patchstack.com/bug-bounty

• Patchstack Bug Bounty Guidelines & Rules: https://patchstack.com/articles/bug-bounty-guidelines-rules/

• Patchstack Vulnerability Database: https://patchstack.com/database/

• All Time Patchstack Bug Bounty Leaderboard: https://patchstack.com/database/leaderboard/

• Patchstack Discord Channel: https://discord.com/invite/V9AE9zczhv

• Patchstack Academy (Free Learning Resource): https://patchstack.com/academy/welcome/

• Recent Bug Bounty Articles in Patchstack Blog: https://patchstack.com/category/patchstack-bug-bounty/

Here are some facts about patchstack:

• Patchstack only supports PayPal for bounty payouts. This link explains the process in detail.

• They can do a direct bank transfer, if the bounty amount is at least $500. This is easier for people from Bangladesh.

• Patchstack is super fast and responsive when it comes to triage.

• If you have any issues or confusion, create a support ticket in their discord, or post a message in the channels there.

• The leaderboard style competition is super fun and exciting.

WordFence

• Wordfence Intelligence Bug Bounty Program Rules: https://www.wordfence.com/threat-intel/bug-bounty-program/

• WordFence Bug Bounty Discord: https://discord.com/invite/awPVjTNTrn

• WordFence Vulnerability Database: https://www.wordfence.com/threat-intel/vulnerabilities/

• The WordPress Security Learning Center: https://www.wordfence.com/learn/

Others

• WPCTF (Cool Challenges and Guidelines): https://wpctf.org/

• Blog of Mat Rollings: https://sec.stealthcopter.com/

My Guidelines

• If you are a beginner, start by learning about WordPress in depth.

• Learn about the WordPress ecosystem.

• Learn PHP. This is a must. You will be doing mostly whitebox testing and reviewing other peoples code. If you do not know PHP well, you can not do well here

• Try to build your own plugin.

• Learn about different types of plugins, like LMS, ecommerce, community etc.

• Learn about Gutenberg FSE, Elementor, Bricks, etc and their philosophies.

• When you have a solid understanding of WordPress, do this: Go to the WordFence Vulnerability Database. Then try to re-produce the reports.

• Try to find similar bugs it other plugins.

Last Updated:

If you found this post helpful, consider buying me a coffee. It keeps me writing!