Wordfence Bug Bounty on Critical Thinking Podcast: Sharing WordPress Bug Bounty Tips & Tricks
Brad Osborne
January 25, 2024

Wordfence Researcher Featured on Critical Thinking Podcast: Sharing Advanced WordPress Bug Bounty Tips and Tricks

🎉 Did you know we’re running a Bug Bounty Extravaganza again?

Earn over 6x our usual bounty rates, up to $10,000,  for all vulnerabilities submitted through February 29th, 2024 when you opt to have Wordfence handle responsible disclosure!

Today was another huge step forward in our continuing mission to secure the web.

In celebration of the Wordfence Bug Bounty Program’s New Year Bug Extravaganza promotion, our very own Ram Gall, Senior Security Researcher here at Wordfence, was featured on the Critical Thinking Podcast this morning, hosted by Justin Gardner (aka Rhynorater).

This is a master class in learning how to find bugs and vulnerabilities in WordPress, which you can apply to our Bug Bounty Program and get paid well to do it!

There are dozens of advanced tips and tricks covered in their conversation. If you’ve ever been curious about turning your WordPress and PHP coding skills into an extra income through bug bounty research, this an incredible resource to help get you started.

Join our bug bounty program as a researcher, and then go watch the interview and learn all about how to find and submit WordPress bugs to earn extra income through our Bug Bounty Program.

Watch the Full Interview Here!

Or Listen on your favorite podcast platform:

Who Are Ram Gall and Justin Gardner?

Ram Gall is a Senior Security Researcher here, and has been a crucial member of our research and intelligence team at Wordfence for years.

He is an extremely talented and experienced WordPress security researcher and has discovered and disclosed many bugs in WordPress plugins and themes over the years. He is also the holder of various industry certifications such as CISSP, GWAPT, CHFI, SSCP, Security+, Pentest+, and CySA+.

In this interview he shares some of the best tips, tricks, and insights he’s gained from poring over PHP code in WordPress plugins and themes over the years, finding those elusive bugs and vulnerabilities and disclosing them to help make all of us in the WordPress community safer.

Justin Gardner is a former PHP developer turned full-time bug bounty hunter and now, host of the Critical Thinking Podcast. He has won several hacking contests and awards, and since learning about the Wordfence Bug Bounty Program last month from our previous partnership, he has turned a lot of his attention to learning about how to (ethically) hack WordPress and submit vulnerabilities to our program to earn rewards.

What Is Bug Bounty?

Bug bounty is a way for developers, ethical hackers, and anyone else who wants to join in to use their technical skills to find bugs and security vulnerabilities in software, and get paid a reward, or a “bounty” when they find one that has never been discovered before.

It can be challenging, exciting, and very rewarding for the folks who decide to get involved.

One of the best ways to get started is to register as a researcher in our program and get started finding bugs in WordPress plugins and themes. Because our program is so vast and covers so many potential vulnerabilities (and we pay the highest bounties in WordPress), it’s a great place for beginners and advanced researchers alike to earn bug bounties.

By submitting these vulnerabilities to the software developers in an ethical way called responsible disclosure, this helps the developers learn about flaws in their code that could potentially be harmful to end users.

The faster these bugs get discovered and disclosed, the faster they get patched – and all of our WordPress websites get safer and more secure.

What Is A Bug Bounty Program?

A bug bounty program is a sponsored program where a company pays researchers for their discoveries, based on the scope and severity of the flaws they discover. Typically organizations host these to cover vulnerabilities in their own products and softare. However, there are a few open-source initiatives out there, like the Wordfence Bug Bounty Program, where organizations pay bounties for vulnerabilities in other vendors’ software in attempt to make the overall web a safer place.

In our case, the Wordfence Bug Bounty Program pays bounties to researchers for discovering and submitting in-scope vulnerabilities found in ANY WordPress plugin or theme that has over 50,000 installs. Once you unlock 1337 Researcher status, you unlock the ability to submit in-scope vulnerabilities in ANY WordPress plugin or theme that has over 1,000 installs. Earning 1337 status increases your scope of targets by almost 10x! 

We are the highest paying WordPress Bug Bounty Program in existence, with one of the largest scopes of any Bug Bounty Programs in existence (including over 8,000 individual software products when you unlock 1337 status).

Why?

By incentivizing and cultivating top-tier security research in the WordPress space, Wordfence commits in yet another way to our mission: to secure the web. By rewarding researchers for their efforts in finding vulnerabilities in WordPress software,  in an industry where there was often little to no financial reward for research efforts, we will attract more top-talent into the WordPress security research ecosystem. This ultimately means getting the worst vulnerabilities “off the streets” before the bad threat actors can get to them, and less vulnerabilities for attackers to target means less sites to successfully compromise.

We launched our program late last year, and since then we have gained a lot of buzz from around the WordPress community, and the ethical hacker community as being one of the best bug bounty programs for people to join.

How To Earn Money As a WordPress Bug Bounty Researcher

The easiest way to get started as a bug bounty hunter is to join the Wordfence Bug Bounty Program as a researcher.

Unlike many other programs, we allow you to submit bugs for any WordPress plugin or theme that has over 50,000 installs. And once you unlock 1337 Researcher Status, this becomes any plugin or theme with over 1,000 installs.  

That means you are free to explore and discover bugs in places where there isn’t a whole lot of competition like some other bug bounty programs.

If you’re a WordPress developer, this can be a fun, challenging and rewarding way to sharpen your skills, earn some extra income, get your first published CVE, and help to make the WordPress community and the web a safer place by disclosing vulnerabilities that could be harmful to end users. 

Here are some great steps to getting started as a bug bounty researcher:

Step 1: Join the Wordfence Bug Bounty Program
Step 2: Join our Bug Bounty Discord channel and learn from a community of fellow researchers
Step 3: Watch the interview above, have fun, and start hacking!
Step 4: Use your new skills to find and submit your first bug. If it’s in-scope, you’ll be rewarded with a paid bounty, and a CVE.

Together, we will continue to make WordPress safer for everyone, and continue to secure the web.

Did you enjoy this post? Share it!

LinkedIn 

Comments

1 Comment
  • francescocarlucci
    January 26, 2024
    7:46 am

    Awesome interview Ram! But you gave away all of our WordPress Bug Bounty secrets :) Now everyone will be looking at 'wp_ajax' and 'register_rest_route'! Joking, it was a great talk with plenty of takeaways. Thank you!

Breaking WordPress Security Research in your inbox as it happens.

Example of a news story

This site uses cookies in accordance with our Privacy Policy.