Events

Bugcrowd & LifterLMS

Announcing the Public Launch of the LifterLMS Vulnerability Disclosure Program on the Bugcrowd Platform

Since 2019, LifterLMS has maintained a Vulnerability Disclosure Program. Our program has evolved since it’s initial iteration and today we’ve opened our formerly private program to any researcher on the Bugcrowd platform.

We’ve always taken care to ensure our software has best-in-class security but, as any software or company, we’ve grown, evolved, and learned.

We’ve had failures and successes and in all things we’ve endeavored to build secure software so our users can focus on education and training first. We are not, nor do we pretend to be, an enterprise solution. But we do aim to ensure our software is as safe and secure as any enterprise alternative.

While considering whether or not to announce the public launch of our program on Bugcrowd I started thinking back through my memory about how we arrived at where we are today. In thinking about it I decided to write something of a history of our team’s security journey.

Our First Vulnerability Disclosure

In the fall of 2019 an anonymous security researcher disclosed a vulnerability in the LifterLMS plugin to the WordPress.org Plugins Review Team. As a result, our plugin was de-listed from the Plugin Repository.

My initial reaction to the email was shame.

I reviewed the offending code in disbelief. How could I have written and shipped this code. It was so obviously flawed it should have never been released. I should have known better and I did know better. Yet, here it was. The facts of the vulnerability were indisputable.

So, we fixed it. As we’ve found over the years, fixing a vulnerability is often quite simple. It’s trivial to see an exploit once you’re alerted to it. A few hours after we were de-listed, the issue was resolved and the next morning the plugin was re-listed.

Before this incident we thought about proactive security. Our coding process requires code review from another developer before any code is published. We talked about security. We kept ourselves apprised of best practices and common exploits.

We ran automated tests and performed static analysis against all our code. We knew this wasn’t enough but we didn’t know what was better.

This vulnerability demonstrated, publicly, that our intentions and processes were limited and fallible. Human error and oversight could be mitigated but not entirely prevented.

Launching a Self-Managed Bug Bounty Program

After resolving the issue my initial shame and embarrassment had time to fester. Instead of feeling confident that we’d fixed a problem, I felt terrified that there were more issues and oversights. A multi-developer audit of our codebases resulted in no additional vulnerabilities. And instead of feeling safe, I was haunted.

We don’t know what we don’t know.

Chris and I flew to Pressnomics 6 in Tuscon a few weeks later. One of the talks was given by a security engineer at Pagely. After his presentation he was kind enough to act as a security therapist. He listened to my story and nodded with empathy.

He said “It will happen again” and “It will be okay.”

He said “As long as researchers know how to find you, they will.”

He said “Make it stupid easy for them contact you.”

When I got home I contacted HackerOne and Bugcrowd and learned that it’s not terribly affordable to run a vulnerability disclosure program on these platforms. After weeks of conversations with both parties we decided that maybe there’s a reason why the only WordPress plugins I could find with bug bounties and security programs had 500,000+ active installs. At the time we had less than 10,000.

So we launched our own security program and bug bounty. We published the first version of our security program at lifterlms.com/security. The page outlined our security disclosure and research policy. It included a relatively low-paying bounty schedule.

We paid out a few bounties over the next six months. The program was not a success but we decided it was better than nothing. If a researcher found something, they’d be able to get it to us safely. Our primary goal was to prevent any future de-listing by ensuring security researchers knew how to contact us should they discover any vulnerabilities in the future.

This superficial goal arose out of the implications of a statement the plugin review team made to us in their relisting email:

“…once a plugin is closed, many people will think it is because it was insecure, even if it wasn’t. That means your plugin becomes a target for hackers.

In other words, de-listing due to a security vulnerability alerts malicious actors to the presence of an unpatched vulnerability.

Ensuring researchers could communicate us, in favor of the plugins review team, meant we could fix vulnerabilities without being de-listed and in doing so we could reduce the number of people, specifically malicious actors or hackers, who were aware of an unpatched vulnerability.

Triage is Difficult and Time Consuming or The Next Human Oversight

In the late spring of 2020 our program was discovered by a group of student security researchers. They shared and posted our policy to various Facebook groups and forums.

Over the course three weeks, we triaged nearly 200 vulnerability reports, almost all were invalid or informational reports related to things like security headers on LifterLMS.com (not the LifterLMS codebase). Often these emails were hostile and contained minimal useful information. The researchers insisted that we pay them for their efforts even if we found their reports invalid, requested more information, or were duplicate reports.

I did my best to arrive at a mutually beneficial agreement with this group. In the moment, while overwhelmed, and not truly understanding what was happening, I mistakenly assumed that it was a small group of friends or acquaintances. I tried to hire them as a team and pay them a monthly stipend for security research.

However, while trying to discuss agreeable terms with a person who identified themselves as a “leader” of the group, reports continued to come in. It became clear that the problem was our own making.

I made an enormous error in drafting our security program: I had no idea how to effectively communicate with security researchers and I didn’t understand how to write a research brief with a meaningful scope.

We decided to cease communications, delete many of these emails, and suspend the self-managed program.

Launching and Maintaining a Manged Vulnerability Disclosure Program

So I returned phone calls to Bugcrowd and in July we reopened our security program, this time with managed triage on the Bugcrowd platform.

We launched the program as a private, invitation-only program and over the past two years invited more than 300 Bugcrowd researchers to test LifterLMS, our websites, and codebases.

Today there are 66 individual researchers who have joined our program. We’ve received 111 total submissions and accepted (and fixed) 20.

Submission OutcomeCount
Valid20
Informational14
Invalid67
Duplicate10
Total111

Of the accepted submissions, 2 were high severity, 7 were medium severity, and 10 were low severity. The remaining submissions were informational.

Submission technical severity graph

Growing our Program and Improving the Security and Stability of LifterLMS

We consider our partnership with Bugcrowd to be a success. In partnering, we’ve managed to remove the bulk of triage effort from our developers, the Bugcrowd Application Security Engineers intake reports and let us know when the report has been validated or when they require our assistance to validate.

We’ve successfully patched two high-severity vulnerabilities before they were disclosed publicly. On one hand, it’s terrible that we’ve had any high-severity vulnerabilities. But patching them following responsible, private disclosure is something to celebrate. To our knowledge these issues were never publicly exploited.

This is the ultimate goal of security research. To improve the security of our software by leveraging the knowledge and experience of security experts.

Together, with our partners at Bugcrowd, we’ve determined that the path towards further growth and improvement is to open our program to any interested researcher.

Hacktoberfest 2022

Hacktoberfest 2022: 5th Annual LifterLMS Contributor Month

During the month of October, LifterLMS will be celebrating open source with our fifth annual Hacktoberfest event: LifterLMS Contributor Month.

Hacktoberfest is a month-long open source community event organized by DigitalOcean.

LifterLMS will be participating in Hacktoberfest as a project maintainer. We encourage anyone to submit pull requests to any of the LifterLMS codebases found on GitHub.

Why Contribute

Contributing to open source projects is a great way to learn, practice your skills, meet new people, have your voice heard within a community, and build a public reputation you can take with you outside the project.

Who can Contribute

Anyone with a GitHub account can submit a pull request. If you don’t have one, you can sign up for free.

You don’t have to be a developer or coder to contribute. LifterLMS will accept contributions from QA testers, user experience and interface designers, documenters, and more! If you’re interested in participating but you don’t know how, get in touch with us and we’ll be happy to get you pointed in the right direction based on your unique set of skills and talents.

How to Contribute

Whether you’re a designer, developer, want to help with documentation, or something else entirely we have a task for you!

If you’re looking to write or improve new code, tests, or documentation, head over to our the LifterLMS GitHub repo and start looking through our existing issues. We’re using the special hacktoberfest tag for issues we feel would be ideal for first-time or new contributors to tackle during this event. You can view all these issues here. You could also check out our good first time contributor issues here.

If you plan to work on an issue please comment and let us know. This will help prevent collisions or duplicate efforts with other contributors.

Please review our contributor’s guidelines and ensure you’re adhering to our coding and documentation standards before submitting a PR!

You may also want to familiarize yourself with how to write and submit pull requests, and DigitalOcean has a great guide you can review here.

Finally, make sure you sign up for the official Hacktoberfest event so your eligible to win an official event prizes!

Rewards for Contributions

In addition to the satisfaction inherent in contributing to an open source project, we’ll be awarding prizes to anyone who contributes to LifterLMS during the month of October.

Every accepted pull request will provide you with an entry into a drawing for a free LifterLMS add-on license of your choice valued up to $360.

Anyone who submits three or more accepted pull requests will receive a LifterLMS t-shirt, hat, or mug (your choice).

All pull requests will be reviewed by the LifterLMS team by October 31, 2022. Only accepted pull requests count towards your contribution count.

Resources for Contributors

During the month of October we have several events to help support anyone looking to contribute:

Office Hours

In addition to our weekly Monday Developer Office Hours held in Slack in the #general channel, we’ll also be hosting short dev chats throughout the month. If you can’t make a scheduled dev chat just pop your question and one of our team members will get back to you when we’re available.

These informal chats are a great opportunity to interact with LifterLMS core developers and other contributors.

If you have any questions about any contributions you want to make, if you’re just getting started, or if you want to just say hello and keep us company, these dev chats are for you (and you don’t have to be a developer to join).

Hacktoberfest 2021: 4th Annual LifterLMS Contributor Month

During the month of October, LifterLMS will be celebrating open source with our fourth annual Hacktoberfest event: LifterLMS Contributor Month.

Hacktoberfest is a month-long open source community event organized by DigitalOcean.

LifterLMS will be participating in Hacktoberfest as a project maintainer. We encourage anyone to submit pull requests to any of the LifterLMS codebases found on GitHub.

Why Contribute

Contributing to open source projects is a great way to learn, practice your skills, meet new people, have your voice heard within a community, and build a public reputation you can take with you outside the project.

Who can Contribute

Anyone with a GitHub account can submit a pull request. If you don’t have one, you can sign up for free.

You don’t have to be a developer or coder to contribute. LifterLMS will accept contributions from QA testers, user experience and interface designers, documenters, and more! If you’re interested in participating but you don’t know how, get in touch with us and we’ll be happy to get you pointed in the right direction based on your unique set of skills and talents.

How to Contribute

Whether you’re a designer, developer, want to help with documentation, or something else entirely we have a task for you!

If you’re looking to write or improve new code, tests, or documentation, head over to our the LifterLMS GitHub repo and start looking through our existing issues. We’re using the special hacktoberfest tag for issues we feel would be ideal for first-time or new contributors to tackle during this event. You can view all these issues here. You could also check out our good first time contributor issues here.

If you plan to work on an issue please comment and let us know. This will help prevent collisions or duplicate efforts with other contributors.

Please review our contributor’s guidelines and ensure you’re adhering to our coding and documentation standards before submitting a PR!

You may also want to familiarize yourself with how to write and submit pull requests, and DigitalOcean has a great guide you can review here.

Finally, make sure you sign up for the official Hacktoberfest event so your eligible to win an official limited edition event shirt.

Rewards for Contributions

In addition to the satisfaction inherent in contributing to an open source project, we’ll be awarding prizes to anyone who contributes to LifterLMS during the month of October.

Every accepted pull request will provide you with an entry into a drawing for a free LifterLMS add-on license of your choice valued up to $360.

Anyone who submits three or more accepted pull requests will receive a LifterLMS t-shirt, hat, or mug (your choice).

All pull requests will be reviewed by the LifterLMS team by November 19, 2020. Only accepted pull requests count towards your contribution count.

Resources for Contributors

During the month of October we have several events to help support anyone looking to contribute:

Office Hours

In addition to our weekly Monday Developer Office Hours held in Slack in the #developers channel, we’ll also be hosting short dev chats on Wednesdays and Fridays through the month of October.

These informal chats are a great opportunity to interact with LifterLMS core developers and other contributors.

If you have any questions about any contributions you want to make, if you’re just getting started, or if you want to just say hello and keep us company, these dev chats are for you (and you don’t have to be a developer to join).

Kickoff Event

On Friday, October 1 we’ll be hosting a special hour-long office hours. This event is a great opportunity to start Hacktoberfest off with a bang.

Check out our contributor’s calendar for more details on these events.

Hacktoberfest 2020 Results

The 3rd Annual LifterLMS Contributor Month Hacktoberfest event is over and we’re excited to share the results of the event and announce our winners.

Contribution Stats

This year we accepted 10 pull requests from 5 contributors.

Contributions ranged from bug fixes, to the addition of hooks, to entirely new features.

ContributorPull RequestReward
@alaa-alshamy#1408
@CadenG150#1410
@daniel-shuy#1390Add-on Drawing Winner
#1392Swag item winner
#1393
@imknight#1378Swag item winner
#1387
#1394
#1404
@nhandl3#1367

We’d like to extend a huge thank you to all our contributors and a big congratulations to our swag winners and Daniel Shuy who won our add-on drawing!

Hacktoberfest 2020: Third Annual LifterLMS Contributor Month

During the month of October, LifterLMS will be celebrating open source with our third annual Hacktoberfest event: LifterLMS Contributor Month.

Hacktoberfest is a month-long open source community event organized by DigitalOcean, Intel, and Dev.

LifterLMS will be participating in Hacktoberfest as a project maintainer. We encourage anyone to submit pull requests to any of the LifterLMS codebases found on GitHub.

Why Contribute

Contributing to open source projects is a great way to learn, practice your skills, meet new people, have your voice heard within a community, and build a public reputation you can take with you outside the project.

Who can Contribute

Anyone with a GitHub account can submit a pull request. If you don’t have one, you can sign up for free.

You don’t have to be a developer or coder to contribute. LifterLMS will accept contributions from QA testers, user experience and interface designers, documenters, and more! If you’re interested in participating but you don’t know how, you can get in touch us with us and we’ll be happy to get you pointed in the right direction based on your unique set of skills and talents.

How to Contribute

Whether you’re a designer, developer, want to help with documentation, or something else entirely we have a task for you!

If you’re looking to write or improve new code, tests, or documentation, head over to our the LifterLMS GitHub repo and start looking through our existing issues. We’re using the special hacktoberfest tag for issues we feel would be ideal for first-time or new contributors to tackle during this event. You can view all these issues here. You could also check out our good first time contributor issues here.

If you plan to work on an issue please comment and let us know. This will help prevent collisions or duplicate efforts with other contributors.

Please review our contributor’s guidelines and ensure you’re adhering to our coding and documentation standards before submitting a PR!

You may also want to familiarize yourself with how to write and submit pull requests, and DigitalOcean has a great guide you can review here.

Finally, make sure you sign up for the official Hacktoberfest event so your eligible to win an official limited edition event shirt.

Rewards for Contributions

In addition to the satisfaction inherent in contributing to an open source project, we’ll be awarding prizes to anyone who contributes to LifterLMS during the month of October.

Every accepted pull request will provide you with an entry into a drawing for a free LifterLMS add-on license of your choice valued up to $199.00.

Anyone who submits three or more accepted pull requests will receive a LifterLMS t-shirt, hat, or mug (your choice).

All pull requests will be reviewed by the LifterLMS team by November 30, 2020. Only accepted pull requests count towards your contribution count.

Resources for Contributors

During the month of October we have several events to help support anyone looking to contribute:

Monthly Bug Scrub

Our monthly bug scrub is an open public meeting held on Zoom with notes recorded in Slack on the #developers channel.

Check out our contributor’s calendar for specifics in your timezone.

Office Hours

In addition to our weekly Wednesday Developer Office Hours held in Slack in the #developers channel, we’ll also be hosting short dev chats on Mondays and Fridays.

These informal chats are a great opportunity to interact with LifterLMS core developers and other contributors.

If you have any questions about any contributions you want to make, if you’re just getting started, or if you want to just say hello and keep Thomas company, these dev chats are for you (and you don’t have to be a developer to join).

Check out our contributor’s calendar for more details on these events.

LifterLMS and Hacktoberfest

Hacktoberfest and the Second Annual LifterLMS Contributor Month

During the month of October, LifterLMS will be celebrating open source with our second annual Hacktoberfest event: LifterLMS Contributor Month.

Hacktoberfest is a month-long open source community event organized by DigitalOcean and Dev.

LifterLMS will be participating in Hacktoberfest as a project maintainer. We encourage anyone to submit pull requests to any of the LifterLMS codebases found on GitHub.

Why Contribute

Contributing to open source projects is a great way to learn, practice your skills, meet new people, have your voice heard within a community, and build a public reputation you can take with you outside the project.

Who can Contribute

Anyone with a GitHub account can submit a pull request. If you don’t have one, you can sign up for free.

You don’t have to be a developer or coder to contribute. LifterLMS will accept contributions from QA testers, user experience and interface designers, documenters, and more! If you’re interested in participating but you don’t know how, you can get in touch us with us and we’ll be happy to get you pointed in the right direction based on your unique set of skills and talents.

How to Contribute

Whether you’re a designer, developer, want to help with documentation, or something else entirely we have a task for you!

If you’re looking to write or improve new code, tests, or documentation, head over to our the LifterLMS GitHub repo and start looking through our existing issues. We’re using the special hacktoberfest tag for issues we feel would be ideal for first-time or new contributors to tackle during this event. You can view all these issues here. You could also check out our good first time contributor issues here.

If you plan to work on an issue please comment and let us know. This will help prevent collisions or duplicate efforts with other contributors.

Please review our contributor’s guidelines and ensure you’re adhering to our coding and documentation standards before submitting a PR!

You may also want to familiarize yourself with how to write and submit pull requests, and DigitalOcean has a great guide you can review here.

Finally, make sure you sign up for the official Hacktoberfest event so your eligible to win an official limited edition event shirt.

Rewards for Contributions

In addition to the satisfaction inherent in contributing to an open source project, we’ll be awarding prizes to anyone who contributes to LifterLMS during the month of October.

Submit at least one pull request and win a LifterLMS Contributor Month sticker package.

Submit three or more pull requests and get the sticker pack and a LifterLMS t-shirt, baseball cap, or mug (your choice).

Additionally, every accepted pull request will provide you with an entry into a drawing for a free LifterLMS add-on license of your choice valued up to $199.00.

All pull requests will be reviewed by the LifterLMS team by November 30, 2019. Only accepted pull requests count towards your contribution count.

Resources for Contributors

During the month of October we have several events to help support anyone looking to contribute:

October 1, 2019: Monthly Bug Scrub

Our monthly bug scrub is an open public meeting held on Zoom with notes recorded in Slack on the #developers channel.

Check out our contributor’s calendar for specifics in your timezone.

October 2, 2019: LifterLMS Contributor Month Kickoff Webinar

Join Thomas Patrick Levy, our technical co-founder and lead developer, for “Contributing to LifterLMS: A guide to open source projects for new contributors.”

The webinar will outline how to get started as a new contributor. If you have any questions, you can bring them to the Q&A section of the webinar. This webinar will be available as a replay if you miss the live session!

Register here if you’re interested in attending.

Office Hours

In addition to our weekly Wednesday Developer Office Hours held in Slack in the #developers channel, we’ll also be hosting short dev chats on Mondays and Fridays.

These informal chats are a great opportunity to interact with LifterLMS core developers and other contributors.

If you have any questions about any contributions you want to make, if you’re just getting started, or if you want to just say hello and keep Thomas company, these dev chats are for you (and you don’t have to be a developer to join).

Check out our contributor’s calendar for more details on these events.

Working Group Session 4: REST API Proposal and Specification

The LifterLMS Working Group will be meeting on July 17, 9-10am PT for our 4th session. The focus of this month’s meeting will be to review and discuss the proposal and specification for the forthcoming LifterLMS REST API.

In mid June we announced our product roadmap and release schedule for the rest of 2019. The first of these major releases is a REST API which will be made available as an addition to the free LifterLMS core plugin.

We’ve been quietly (but publicly) designing the specification for the REST API, and we’re now ready to present it to the working group.

Please review the specification and take a few minutes to submit your feedback and thoughts before attending the session.

The full (working) specification is documented at gocodebox.github.io/lifterlms-rest/.

You can submit your thoughts and feedback here: https://docs.google.com/forms/d/e/1FAIpQLSeQTBN-TOG9kPyccWJ_agZWmxuUwdaz7PGforoXRwW3IYscbA/viewform

Join us live or leave comments below.

Check the events calendar for information on the event.

WP Translation Day #4

Global WordPress Translation Day #4

The WordPress Polyglots Team has organized the 4th Global WordPress Translation day. The 24-hour event will take place on May 11, 2019.

Volunteers and contributors can attend local events to learn about translation and contribute translation to the WordPress core, plugins, and themes.

During this global event, LifterLMS will be hosting our own digital Translation Day event in the #translators channel on the LifterLMS Slack Community.

The LifterLMS core team, developers, and translators will be hanging out in Slack, discussing translations, and helping you contribute translations to the LifterLMS core or LifterLMS add-ons.

Planning on attending? Join the Slack channel today and introduce yourself!

Working Group Session 3: Merge Codes

The LifterLMS Working Group will be meeting on April 17, 2019, 9-10am PT for our 3rd session. The focus of this month’s meeting will merge codes.

LifterLMS currently utilizes merge codes for engagements and notifications. In the future we plan for merge codes can be utilized in all areas of LifterLMS (including LMS and non-LMS posts and pages).

As the maintainers we’re in the very early phases of clarifying our thinking around how to make merge codes most useful to course creators and before we solidify any plans we look to the working group for feedback and guidance.

Join us live or leave comments below.

Check the events calendar for information on the event.

A (late) Introduction to the LifterLMS Working Group

Saurabh had an idea

He approached the team sometime in the fall. He wanted us to start a LifterLMS Working Group.

In software development working groups are common. The W3C has several dozen groups which regularly gather to discuss and work on various internet specifications. Without these groups and specifications, we would not have many of the tools and utilities we use daily to power our websites.

WordPress itself doesn’t call them working groups, but if you point your browser to make.wordpress.org you can see another dozen or so teams working on various areas of the WordPress project.

A free and open-source project with a growing community should have it’s own working group, but we don’t.

We’ve always planned features with the interest of the user in the forefront of our minds. We gather feedback and diligently record issues and feature requests. We pivot our focus and goals based on these comments and questions we hear in support conversations and social media posts.

But the issue Saurabh’s idea attempts to resolve is that we did not have an official forum or platform to facilitate the co-creation of LifterLMS. We, the core team, have always remained solely responsible for the actions taken following or as a result of these conversations.

Saurabh’s idea was to gather a new group of stakeholders and meet to organize our collective thoughts about the successes and shortcomings of the project. His idea was to create the platform the project has been lacking.

The First Meeting

In January we organized the first meeting of this working group. We hand-selected a small group of users and contributors. We decided to start with quizzes as our first discussion topic. We checked our issue and request trackers and found when organized by category, quizzes, by far, had the highest number of feature requests.

I had intentions to distill the learnings of this first working group into some ground-breaking document and publish it here on the blog.

I had intentions that something so powerful would be said that it would result somehow instantly in a reconstructed and superior quiz system.

We discussed these things, and we (the core team) recorded more notes and more feedback. A lot of what we talked about has been written down and recorded by us multiple times over. New points were brought to our attention, and some of the issues we’re aware of were given new context.

There’s more work for our team to do on quizzes, and as we approach the second meeting of the working group we have new things to consider.

Improving the Working Group

As we look forward to the next session of the group, we hope to work together to find ways to encourage greater participation from members of the group.

Talk and discussion is not unimportant, but it’s only a small part of what we’ve learned we need from this group. We not only need members with great ideas and strong opinions, we need members who are willing to do work.

The most obvious work is code, but we don’t need to write more code*, we need to draft and create documentation, architectural models, feature concepts, roadmaps, and design specifications.

In simple terms: we need to determine, concretely, the things that LifterLMS needs to do. We need to write these things down and commit to them.

After these concepts and ideas are solidified, then I will work with our core team and contributors to turn these into deployable and useable features.

If we look to the work of the working groups of the W3C, we’ll see that these groups do not write code. They write specifications. These groups may have developers in them but the primary purpose of these groups is to create and design these specifications. The browser vendors and developers working on Chromium or Blink or Mozilla will then interpret these specifications and create the browsers we use.

Moving forward, the LifterLMS Working Group will be creating these specifications, and you’re invited to participate.

* If you’re a developer, we do need to write more code, please join us, please contribute.

Session 2, March 2019: Certificates

On March, 20, 2019 at 9:00am PST we’ll gather for the second session of the LifterLMS Working Group, and we’ll be discussing certificates.

Our choice for this session comes after realizing that our first topic, quizzes, was perhaps too broad a topic. Certificates, while arguably as important as quizzes, we’re hoping will prove to be a topic that’s more digestible in a short period of time.

Bring your ideas, and be prepared to start creating LifterLMS with us.

See the events calendar for meeting details.