Patchstack Alliance is an open community of cyber security researchers, developers, pentesters, and bug bounty hunters who use our platform to research and report security issues in WordPress plugins to win monthly bounties and compete in annual competitions for grand prizes.
Community. We already have some of the best WordPress security talents so it might be interesting for you to join the discussions in the our dedicated Slack channels.
Bounties. During our first year, we’ve paid 18K in bounties. We have monthly payouts and also annual grand prizes.
We assign CVE IDs to your contributions. Receive credit for your findings in our WordPress vulnerability database.
The platform. Our reporting process and validation triage fast-track security patch creation for vendors and save you time to do more research.
Everyone can join the Patchstack Alliance as long as they are committed to making the WordPress ecosystem safer. By submitting at least one valid vulnerability report that meets the Patchstack Alliance vulnerability report submission requirements, you become a member of the Patchstack Alliance.
Yes! Patchstack and our partners want to make WordPress and open-source safer by motivating researchers to check all WordPress ecosystem components despite their nature. Thanks to our partners, we can offer bounties for finding vulnerabilities in free as well premium WordPress components (even when the vendor does not pay bounties).
The annual competition is accessible to anyone who submits at least one vulnerability to us any time during the year. Monthly competitions are available only for Patchstack Alliance members.
Right now, we have a guaranteed bounty pool of 1500 USD per month, and it's growing.
While we do accept all vulnerability reports, we only count points (used for the bounty leaderboard) for security vulnerabilities that match the following requirements:
Vulnerabilities that are still valid but don't pass the requirements for bounties will be triaged, receive a CVE and will be counted for annual WP BUG HUNT prizes. More information is available in the Patchstack Alliance rules.
Patchstack guarantees a monthly prize pool of at least $1500 (the lowest possible prize pool). Patchstack Alliance member who will collect the most points for a particular month from his submitted reports will get the $300 bounty, the second one will get $200 and the third one will get $100.
We have extra bounties (single bounties) for reporting the vulnerability with the highest CVSS ver. 3.1 base score; the highest active install count; and for reporting a group of components affected by the same vulnerability.
Patchstack can reward individual Patchstack Alliance members at their discretion based on the overall impact of the vulnerabilities they discover.
We urge you to read the Terms & Conditions in full.
A combination of different parameters is used to calculate points. The two main parameters are the active install count of the reported component and the impact of the reported vulnerability (CVSS 3.1 base score). At the end of each month, points are summed up for each researcher meeting the previously mentioned requirements to establish a leaderboard.
For now, we only support PayPal payments with more alternatives coming soon. We cover all payout (PayPal) fees so you receive the exact amount promised. We are not responsible for other fees such as withdrawal or local taxes.
WP Database Backup
Authenticated Stored CrossSite Scripting vulnerability
Unauthenticated Local File Inclusion (LFI) vulnerability
Reflected CrossSite Scripting vulnerability
Unauthorized AJAX Calls Vulnerability
💡 These rules are subject to change. We will notify you about any changes in the Alliance dedicated Slack account #general channel.