WP Engine Requires Agreeing to 15 Page Legal Agreement to Report Security Issues to Them
As part of Matt Mullenweg’s ongoing extortion campaign against WP Engine anyone logging in to the website of WordPress has to click a checkbox saying that “I am not affiliated with WP Engine in any way, financially or otherwise.”
That has not been well received and has created massive problems.
As with a lot of things in the larger situation, WP Engine has it own issues along the same line. One of them involves trying to report security issues to them, which there have been plenty of in their WordPress plugins.
When trying to report a security issue to them, you probably would make your way to their Report a Security Issue page. That provides this information:
If you have found a security vulnerability or other security issue on WP Engine and are a WP Engine customer, please create a support ticket.
If you are not a WP Engine customer, please submit security vulnerabilities or other security issues via our Intigriti Vulnerability Disclosure Program at https://app.intigriti.com/programs/wpengine/wpengine/detail.
A member of our security or support team will follow up with you regarding the issue shortly.
So if you are not a customer you have to report security issues through a third-party bug bounty program.
As we talked about with WordPress itself in August, bug bounty programs don’t accept reports of many security issues. Another common issue is that you have to accept a legal agreement with the third-party handling the bug bounty program. The agreement that you would need to agree with to report an issue to WP Engine is 15 pages printed. It doesn’t seem like you should have to make a legal agreement to report a security issue. A company or legal conscientious individual might need to pay a lawyer to review the agreement before it is agreed to.
If WP Engine was paying bounties that might make what is going on here more defensible, but they are not:
Unsurprisingly, this isn’t leading to many real security issues being reported. The program has existed since March 2022 and there have been only 41 accepted submissions:
