I would hope my blog would be easier to hack than Amazon. Playing on cliffs and rock climbing is fun, btw. :)

Why? You have a lot of ways to hack a WordPress site?

> <azonenberg> wordpress is an unauthenticated remote shell that, as a useful side feature, also contains a blog

That's an old joke and obviously an exaggeration, but it's not horribly far off. Wordpress instances fall to attack constantly, due to a combination of bugs in the base application itself (not terribly common) and extensions (not just common -- CONSTANT). In terms of breakability, I would rank Wordpress in the top 1% of applications without a second thought.

If you believe you're aware of any security issues with WordPress core itself, Automattic is running a Bug Bounty program over on HackerOne here: https://hackerone.com/automattic/ -- responsible disclosure, bug bounties, and making the web a safer place is awesome.

You really think some piddling Automattic bounty is more valuable than a WordPress 0day?!?!?!?!? (Conscious punctuation.)

I'm at a loss for words, scaredy-cat.

So you are implying that there are no honest people out there, and on top of that everyone that finds a vulnerability has the guts and resources to make money off a 0day bug?

What's so hard in making money off 0days? Especially in this day and age of SilkRoute clones and Cryptocurrencies.

I was under the impression that a big reason why 0day exploits are not popping up all over is because the folks who discover them can now sell them (for way more than any bounty program), whereas earlier the only way to monetize was to use them as advertisement for selling your skills. Instant payment vs Contractual jobs. I'd say now the 0day vulns end up in the hands of professionals (criminal networks/state actors) rather than script kiddies.

More than one person can rediscover an exploit. Paying all of them gets expensive