With over 1200 hits generated by Crowdsource submissions, September was our second best month so far. We have added many new vulnerabilities affecting WordPress, both core and plugins. A few of the plugins were used by a large amount of WordPress installs, as you can read in our article where we list all our newly added vulnerabilities. Many of these modules were submitted by this month’s hacker Yasin Soliman.
Improvements in the platform
New vulnerabilities are far from all that has happened in September. The platform and community have had a few big changes, and many of the improvements were based on the feedback we received from members of the Crowdsource community. We sent a survey to all invited researchers, and we want to thank everyone who took the time to answer it. The results showed us that we are focusing on the right things, and the platform will see a few major changes that our researchers will love. Stay tuned!
The first update we’ve released is that researchers from Crowdsource can now get a “fixed bounty” for their submissions. This means that the researcher will receive a fixed payout besides the regular payout per hit. We hope that this change will encourage researchers to submit modules of high quality that may not generate a lot of hits, but are equally important to us.
In September, the top finding was an open redirect affecting the latest version of WordPress.
Hacker of the month
The Detectify Crowdsource hacker of the month is Yasin Soliman, a 17-year old UK based security researcher who submitted more than 25 valid modules to Crowdsource in September. We got the opportunity to interview Yasin about his participation in Crowdsource, security role models and his view on other bug bounty programs.
Guest Blog: Don’t Leave your Grid Wide Open
Our guest blogger and Detectify Crowdsource hacker Peter Jaric explains how Selenium Grid could be exploited to read files on the server.