Patchstack has been pioneering the WordPress bug bounty hunting scene for many years now. 6 years ago, we came up with an idea on how to make open-source bug bounty hunting cover even the smallest projects (regardless of whether they make money or not).
This project was later renamed to Patchstack Red Team and then to Patchstack Alliance. Over the years, we’ve built the most active ethical hacker community behind WordPress and paid over $60,000 in cash rewards.
2023 was our most successful year ever, our community has grown to 400+ members, Patchstack became a member of the OpenSSF, and we’ve become the global leader of vulnerability intelligence in the world (highest number of CVEs assigned in 2023).
After we launched the Patchstack mVDP program in early 2023 for WordPress plugin developers, we started working on the new Patchstack bug bounty program. Today, we’re excited to announce the new Patchstack bug bounty competition, the Patchstack zero-day program, and the Patchstack researcher rank.
Updated WordPress bug bounty competition
We are not going to change what already works, but we are increasing the rewards significantly. Every month, the top researcher with the highest AXP score will receive $1000 USD. The second will get $700 and the third place will get $400.
Higher severity = higher AXP score.
The top 15 researchers get paid at least $100 each month (if they have at least 1 valid vulnerability reported). We also pay $50 randomly to one researcher each month who did not get to the top 15 but still contributed to the security of the open source with a valid vulnerability report.
Monthly cash rewards:
| 1st place | $1,000.00 |
| 2nd place | $700.00 |
| 3rd place | $400.00 |
| 4th place | $300.00 |
| 5th place | $250.00 |
| 6th place | $200.00 |
| 7th place | $200.00 |
| 8th place | $200.00 |
| 9th place | $200.00 |
| 10th place | $200.00 |
| 11th place | $100.00 |
| 12th place | $100.00 |
| 13th place | $100.00 |
| 14th place | $100.00 |
| 15th place | $100.00 |
| random prize | $50.00 |
While the monthly guaranteed prize pool almost doubles in size, we’ve removed the “special bounties” to simplify the program as they would partially overlap with our new initiative, the Patchstack zero-day program.
Introducing the Patchstack zero-day program
Ever since we launched the Patchstack mVDP for plugins, we’ve also worked on getting per-vulnerability bounties to researchers in direct partnership with plugin developers.
We’ve made it simple for plugin developers to process vulnerability reports & pay additional bounties to the ethical hackers.
To make sure more security vulnerabilities with a potential of becoming exploited as zero-days get reported ethically, we launch the Patchstack zero-day program starting from January 1st. 2024.
Patchstack is paying up to $2000 per vulnerability for exploitable & critical vulnerabilities found in any of our partners’ plugins. It’s a simple and transparent system, where the payouts are based entirely on the number of active installs the vulnerable plugin has.
Today, we have over 200 WordPress plugins on the Patchstack managed vulnerability disclosure program such as Elementor, RocketWP, Kadence, MainWP, and many, many others.
You can see the full list here: https://patchstack.com/database/vdp
Per vulnerability cash rewards:
| Payouts: | Unauth. | Subscriber/Customer |
| Active installs 10,000+ | $100.00 | $50.00 |
| Active installs 50,000+ | $150.00 | $75.00 |
| Active installs 100,000+ | $300.00 | $150.00 |
| Active installs 500,000+ | $450.00 | $225.00 |
| Active installs 1,000,000+ | $1,000.00 | $750.00 |
| Active installs 5,000,000+ | $2,000.00 | $1,500.00 |
Here are the full requirements to be eligible for a bounty:
- The software has an active VDP listed on patchstack.com/database/vdp/
- The vulnerability leads to a full site compromise (ability to upload & access a functional backdoor).
- The vulnerability is exploitable with Unauthenticated(none), Subscriber, or Customer (WooCommerce) permissions.
- The report includes a working exploit.
- No prerequisites (default settings / most common environment / does not need any other vulnerability to be present).
- The exploitation does not require any user interaction.
All of the vulnerabilities reported to the Patchstack zero-day program will also receive AXP (with a bonus) which will be counted for the current month’s bug bounty competition.
PS! If you’re a plugin developer, you can sign up for the program for free here: https://patchstack.com/for-plugins/
Introducing the Patchstack researcher rank
Many of the most active community members have been active in WordPress bug bounty hunting and have been staying with us for years. They have shown incredible consistency and passion for open-source security.
To make them stand out from the rest of the community, we’ve introduced a level system.
All of the AXP you earn from reports will be permanently added to your profile. After your first valid report, you will start from level 1 and can reach the maximum level of 10. We also have rewards from Level 2 – Level 10.
Each reward can be earned once you reach the new level and the total amount of rewards you can unlock is $5737 USD with additional 2 mystery box rewards at level 5 and level 10.
Rewards unlocked on each level:
| Rank | Reward |
| Level 2 | $200 |
| Level 3 | $300 |
| Level 4 | $400 |
| Level 5 | $500 + Mystery Box |
| Level 6 | $600 |
| Level 7 | $700 |
| Level 8 | $800 |
| Level 9 | $900 |
| Level 10 | $1337 + Mystery Box |
Building the largest open-source security community
Our vision behind the Patchstack Alliance community and WordPress bug bounty hunting is to bring ethical hackers and open-source developers together. We believe that ethical hackers who contribute security reports to open-source projects are equal contributors to developers who contribute code.
We are well aware that what makes open-source software so great is the community and people behind it, so we must do the same for open-source security.
What this community has done for the WordPress ecosystem is already historical, but it’s all just the beginning.
We have much more exciting news coming in Q1, so whether you’re an ethical hacker or an open-source developer – don’t forget to join our community in Discord: https://discord.gg/uHcsy8rgPu
