If you’ve been paying attention, you know that the last two versions of WordPoints included minor security fixes. If you’ve been paying attention and you have a basic understanding of security, you’ve updated as quickly as possible.
While on the one hand finding security issues in a plugin seems like a bad thing, it is actually good. That is, it is good when the good guys (like the plugin developer and responsible security researches) find the vulnerabilities. In that case the bugs get reported and fixed. When the bad guys, like hackers, find them first, the vulnerabilities get exploited instead.
The fact is that virtually all code contains vulnerabilities. Sometimes they are more serious than others. The important thing is that the programmer understands what those vulnerabilities are, and that he scrutinizes his code so they don’t just go unnoticed for years. Even better is when he has others scrutinizing the code as well. After all, two heads are better than one.
With that in mind, I’ve launched a security bug bounty program for the plugin on HackerOne. This will provide a platform where I, as the plugin developer, can work together with other security researchers to find and fix any vulnerabilities the plugin may have. It puts the plugin’s code in front of more pairs of eyes, which will result in quicker discovery and remediation of vulnerabilities. The end result: better security.