Researching Website Vulnerabilities - Interview With Bug Bountie Hunter Mat Rollings

Researching website vulnerabilities – interview with bug bounty hunter Mat Rollings

A man with light brown hair and a beard stands with arms crossed, wearing a white t-shirt, a smartwatch, and a confident expression—ready to tackle your next WordPress project against a plain white background.

By Maciej Nowak

How do you balance openness with security in a web-first world? That’s the question we explored in our latest episode with Matt Rollings, a full-time bug bounty hunter, cybersecurity consultant, and white-hat hacker.

The conversation unpacked what it really takes to secure modern websites – especially for businesses scaling fast, running legacy stacks, or relying heavily on third-party services. From misconfigured headers to exposed APIs, Matt offered a no-fluff guide to where real vulnerabilities hide (and how attackers find them).

Matt Rollings is a recognized voice in the security research community and one of the most active contributors to coordinated disclosure programs. He’s worked across industries – from fintech to ecommerce – and his findings have helped patch real-world flaws in platforms used by millions. Matt’s approach? Attack like a hacker, think like a builder.

In this high-signal conversation, we explored how bug bounty programs actually work – and how to build one responsibly; the most common vulnerabilities Matt sees in the wild; what founders and CTOs still get wrong about security; and why the goal isn’t perfection but rapid detection and response.

Security Is a Process, Not a Product

Matt emphasizes that security isn’t something you “buy once” – it’s an ongoing discipline. Tools can help, but the real value comes from how quickly you detect and respond to threats. Modern stacks are too complex for total prevention.

You can’t patch what you don’t monitor.

He recommends investing in internal feedback loops, monitoring tools, and a culture of security ownership across product and engineering teams. In practice, that means wiring SAST into CI/CD (e.g., Semgrep or Psalm via GitHub Actions) and leaning on WordPress’s built‑in file‑upload handlers over raw PHP to avoid common RCE‑class bugs.

 

Bug Bounties: Underrated & Underprepared

Too many companies jump into bug bounty programs without a mature security process. According to Matt, the best programs are structured, responsive, and collaborative – not just transactional.

If you ghost a hacker after they report something, they’ll never work with you again.

He encourages orgs to treat bounty hunters as allies – not adversaries. That means clear scopes, fast replies, and public recognition. It should complement pentests – not replace them – so you get security in depth and far more eyes on your code than the usual one or two tests a year.

 

Legacy Code and Framework Debt Are Your Real Threats

Some of the worst vulnerabilities Matt sees come from unmaintained legacy systems or code that’s “held together by duct tape.” In WordPress, that often means lax file‑upload checks or role‑escalation logic (e.g., endpoints that let a user become admin), patterns he repeatedly finds across copy‑pasted plugins.

It’s rarely the flashy zero-day. It’s the dusty CMS plugin no one’s updated in six years.

He advises companies to treat tech debt as a security liability – and to prioritize code audits during migrations or platform redesigns.

 

Security Is Everyone’s Job – Not Just the CISO’s

Matt’s most repeated point? Security isn’t a department – it’s a mindset. Developers, designers, marketers – everyone touches data, and everyone creates surface area.

If your marketing team spins up a landing page with a bad form config, that’s a vector.

He recommends light but regular training across teams and involving security reviews earlier in product cycles. In practice, he frames findings as learning opportunities and doubles down on basics – consistent input validation/sanitization, so teams prevent repeat mistakes.

 

Transparency Builds Trust – Even After a Breach

Matt highlights that public trust often depends more on how you respond to an incident than whether it happened in the first place. Companies that are transparent, responsive, and empathetic come out stronger.

You’ll never eliminate all risk. But you can control how you show up when it counts.

He cites examples of public postmortems, shared root causes, and open patch timelines as signs of maturity.

Two men stand side by side, one with long hair in a white t-shirt, the other sporting short hair, sunglasses, and a patterned shirt. In the background, abstract spheres hover with the text "OSOM TO KNOW," subtly suggesting an air of intriguing security.

Full Conversation with Matt Rollings

Want to hear the full conversation with Matt Rollings? Check out the latest 🎙️ Osom to Know podcast.

You can also watch us on YouTube – don’t forget to hit subscribe! 📩

And if you’re building on legacy code, scaling a platform, or just starting to take security seriously – let’s talk. At Osom Studio, we help teams build secure, scalable solutions from day one.

Next article

wordpress security

13 Easy Steps to Improve WordPress Security and Keep Your Site Safe

By Bartosz Nowak

9 min read