Patchstack Alliance rules (2022)

1. Membership
   1. Patchstack Alliance is an open community of cyber security researchers, developers, pentesters, and bug bounty hunters (hereafter in the text - members).
   2. Everyone can join the Patchstack Alliance as long as they are committed to making the WordPress ecosystem safer.
   3. By submitting at least one valid vulnerability report that meets the Patchstack Alliance vulnerability report submission requirements, you become a member of the Patchstack Alliance.
   4. Each Patchstack Alliance member will have its public profile page on the Alliance platform website (available after the official Alliance platform launch). The profile will include basic information about the member and all the data related to member activities (research points, discovered vulnerabilities, achievements badges, social links).
   5. Communication between Patchstack and Patchstack Alliance members should be done by email at darius.sveikauskas@patchstack.com and on the Patchstack Alliance Slack. All reports should be submitted only by vulnerability report submission form.
   6. Each member must provide a basic set of information about themselves, like the name (we need your name to be able to pay out the bounties), a nickname if you want to protect your privacy in your Patchstack Alliance public profile, and public vulnerability descriptions. Also, a valid email address that we will use for bounty payouts by PayPal and general communication.
   7. We have not set an age limit, but members must ensure that they are able to legally accept bounties in their local jurisdiction.
   8. Each member is responsible for the tax obligations for payouts received through the Patchstack Alliance.
   9. Patchstack Alliance members could be asked to give interviews as we want to introduce Patchstack Alliance members to the public for transparency and project promotion purposes.
   10. We expect common sense, responsibility, and abstinence from actions that may, in one way or another, damage the image of the Patchstack Alliance project.
   11. Patchstack reserves the right to expel any member from the Patchstack Alliance member list for unethical or malicious acts that may affect Patchstack and Alliance's image, even if malicious acts are not directly related to the Patchstack Alliance activities.
2. Vulnerabilities and report submission
   1. Everyone can submit vulnerability report(s) to the Patchstack Alliance if they make it in accordance with Patchstack Alliance rules.
   2. All vulnerabilities submitted to the Patchstack Alliance project will be disclosed (once they got processed by Patchstack vulnerability disclosure rules) to the Patchstack Vulnerability Database - a public and free vulnerability database https://patchstack.com/database/. We will allow everyone to access, save, share and use this information as we don't want to limit the spread of this information.
   3. All vulnerabilities submitted by Patchstack Alliance members must be new and unique. It means all submitted vulnerabilities should not be reported or published anywhere before to ensure Patchstack Alliance will be the first and only recipient who will get the particular vulnerability report. We want to avoid duplicate CVE ID submissions or other possible issues that could waste our resources or harm our reputation. Vulnerabilities that have been previously publicly disclosed, published, reported elsewhere will be rejected.
   4. All vulnerability reports should be submitted by using the submission form available here - https://patchstack.com/alliance/. We don’t accept submissions by email or in another form. At this moment we accept only vulnerability reports for WordPress ecosystem components like WordPress core, plugins, and themes. We accept reports for all WordPress plugins and themes regardless of whether they are free or premium. But keep in mind that for premium components reports we require to provide the original (unaltered) archive of the component so we could use it for vulnerability validation.
   5. The Patchstack Alliance adheres to a philosophy of ethical disclosure. Therefore, disclosing a vulnerability is pending until the software manufacturer publishes a patched version and most users update it on their websites. The aim is to minimize the negative impact that disclosure of vulnerabilities can cause. You can read more in Patchstack Vulnerability Disclosure Policy - https://patchstack.com/patchstack-vulnerability-disclosure-policy/
   6. Suppose the software manufacturer takes no action and ignores the information received for 30 days. In that case, the vulnerability will be disclosed and reported to the WordPress Security Team (https://developer.wordpress.org/plugins/wordpress-org/plugin-security/reporting-plugin-security-issues/) if the vulnerable component is distributed by a WordPress plugin or theme repository.
   7. We will disclose vulnerabilities on behalf of the author (we will use the name or nickname you have provided to us and a link to your Twitter or LinkedIn account). However, we will add "(Patchstack Alliance)" to the author's name to publicity the whole project. Finally, if an Alliance member wants to stay incognito, we will add "Patchstack Alliance member" as an author.
   8. Make sure you provide all vulnerability details in your reports. All additional (unreported) vulnerabilities that will be discovered in the process of reported vulnerability validation or verification of patches applied by vendors will be published in the name of the in-house Patchstack researcher who will find these unreported issues.
   9. Pay attention to the quality of your reports, test them carefully before submitting them to the Patchstack Alliance. Incomplete reports will be rejected with the possibility to fix the report two times. We will count the last fix date as the submission date, so if you submitted a report in June, but there were issues and you updated information to fix the issue in July, we will count it as a report submitted in July.
   10. Three reports rejected per month will lead to a cooldown period. It means that we will not accept reports from such members for the next month.
   11. What could cause rejection: incomplete report, invalid report, wrong data (missed vulnerability title, wrong vulnerability type, inaccurate payload, etc.), reports generated by using non-standard user roles (doesn’t apply to user roles created by the vulnerable plugin), or users with altered permissions.
   12. We do not accept reports for closed plugins or themes that are not distributed actively on WordPress.org or another public repository.
   13. If we will receive vulnerability reports for the same vulnerabilities from different members, we will assign them to the member who made the valid report submission first.
3. Competition, prize pool, and bounties
   1. Anyone can compete for the prize pool prize as long as they submit legitimate and unique vulnerabilities, and Patchstack Alliance is the first and only recipient of particular information.
   2. Patchstack guarantees a monthly prize pool with payouts.
   3. Patchstack Alliance member who will collect the most points for a particular month from his submitted reports will get the $300 bounty, the second one will get $200 and the third one will get $100.
   4. Limited Extra Bounties may be awarded that meet specific criteria. Each month extra bounties will be awarded for:
      1. Reporting a valid security bug with the highest severity found in a semi-popular component. (Minimum 25.000 active installations, and 7.3 or higher CVSS ver. 3.1 base score.)
      2. Reporting a valid security bug found in the most popular component. (Minimum 100.000 active installations and 6.1 or higher CVSS ver. 3.1 base score.)
      3. Reporting an identical and valid security bug found in the most components. (Minimum 10 components affected with over 10.000 active installations each, 5.4 or higher CVSS ver. 3.1 base score, and the PoC must work identically on each affected component.)
4. Patchstack can reward individual Patchstack Alliance members at their discretion based on the overall impact of the vulnerabilities they discover. The aim will be to reward members who have found high-impact vulnerabilities but have not reached the number of points that would guarantee a monthly competition prize (for example, outside the first three winning places).
5. Alliance members are not committed to finding a certain amount of vulnerabilities per month. Since it's not some strict contract, you are free to choose how much time you spend on this competition.
6. We pay bounties using the PayPal payment platform. Each member must take care of the administration of their PayPal account and the possibility to transfer money to the specified account. If your PayPal account is blocked, investigated, or frozen due to sanctions, Patchstack will attempt to transfer the money within a month, after one-month bounty will be dropped back to the bounty pool.
7. Two main parameters are used to calculate competition points: a) CVSS (version 3.1) base score (you can try CVSS 3.1 calculator here - https://www.first.org/cvss/calculator/3.1) b) count of active installs (for premium products - count of sales). We do not use an exact number of active installs in the calculation. Instead, we have groups that represent ranges. Group number acts as a multiplier in overall points calculation. It means we take the CVSS base score and multiply it by the multiplier that represents a range of active installs (sales). Ranges: x1 - from 1000 to 25K active installs, x2 - from 25k active installs, x3 - from 50K active installs, x4 - from 100K active installs, x5 - from 200K active installs, x6 - from 400K active installs, x7 - from 800K active installs, x8 - from 1.6 million active installs, x9 - from 3,2 million active installs, x10 - from 5 million active installs.
8. If it is not possible to determine the number of active installations or sales, we will try to resolve it using the means available (Google, Public WWW).
9. We will count points for each month strictly from the first month's day to the last one. The result will be revealed as soon as possible (at least until the end of the next month because sometimes we need extra time for validation of reports sent to us on the last days of the month).
10. We will use UTC time as the main time format, so please keep in mind the difference according to your local time.
11. We will accept vulnerabilities that require an attacker to have an admin or higher user roles (similar custom roles or lower roles with altered permissions), but these will be used only to disclose them in the Patchstack Vulnerability Database and assign them CVE ID. Still, no points for the monthly Alliance competition will be calculated.
12. We will accept vulnerabilities for components with less than 1000 active installs. Still, these will be used only to disclose them in the Patchstack Vulnerability Database and assign them CVE ID, but no points for the monthly Patchstack Alliance competition will be calculated.
13. CVE IDs will be assigned as soon as the vulnerability will be validated by Patchstack, up to two weeks in case of the large number of reports submitted. CVE IDs will be published once we disclose the vulnerability to the Patchstack vulnerability database (30 days from the report validation day).
14. Members could get more score points (x1.5) for highly detailed advisories on their discovered vulnerabilities if they have a high CVSS 3.1 base score (7.5 or higher). Before creating such a detailed advisory, you need to inform Patchstack to discuss the details.
15. What Patchstack offers
    1. First of all, we offer a competition that allows you to win actual money and prizes for discovering vulnerabilities.
    2. We offer publicity. We will make everything to show the world how good you are at hunting vulnerabilities.
    3. The WordPress community will praise you for your discoveries.
    4. You'll get your Patchstack Alliance profile page (coming soon) that will show all your achievements. An excellent way to show everyone your skill level.
    5. Blog posts, database entries, and other link and traffic sources to your social profiles. We don't want to hide you. We want everybody to know who are the Patchstack Alliance members.
    6. Trust us, you'll meet fascinating people here, and this competition might be a jump start for your career.
    7. Share and gain knowledge. Patchstack Alliance is not just about the competition. It's about the people and community.

💡 These rules are subject to change. We will notify you about any changes in the Alliance dedicated Slack account #general channel.