Our monthly pool for cash prizes, infosec tools and more is growing

Monthly cash payouts
We cover PayPal transaction fees
Minimum 2425 USD per month in a bounty pool

October bounties

Joshua Chan
Brandon Roldan
Abdi Pranata
4th to 10th
11th to 15th

Additional bounties

* See full guidelines and terms before reporting

Vulnerability with the highest installation count*
Vulnerability that affects most (more than ten) plugins*
Vulnerability with the highest CVSS (3.1) severity*
Additional bounties for achievements that are beneficial to the community or particularly interesting*

Submit a valid vulnerability to receive an invite to the community

Easily generate reports for vendors
Get access to our exclusive Discord channel
Share tools, knowledge and research
Managed triage process

We handle reporting to vendors so you can focus on your research

Vulnerabilities get accepted faster
Get CVE's assigned in your name
Gain more time to do research

Frequently asked questions

Your pledge will go towards further developing the platform and supporting the community prize pool. To find out more – get in touch!

For now, we only support PayPal payments with more alternatives coming soon. We cover all payout (PayPal) fees so you receive the exact amount promised. We are not responsible for other fees such as withdrawal or local taxes.

A combination of different parameters is used to calculate points. The two main parameters are the active install count of the reported component and the impact of the reported vulnerability (CVSS 3.1 base score). At the end of each month, points are summed up for each researcher meeting the previously mentioned requirements to establish a leaderboard.

Patchstack guarantees a monthly prize pool of at least $2425 (the lowest possible prize pool). Patchstack Alliance member who will collect the most points for a particular month from their submitted reports will get the $650 bounty, the second place will get $350 and the third will get $250.

We have extra bounties (single bounties) for reporting the vulnerability with the highest CVSS ver. 3.1 base score; the highest active install count; and for reporting a group of components affected by the same vulnerability.

Patchstack can reward individual Patchstack Alliance members at their discretion based on the overall impact of the vulnerabilities they discover.

We urge you to read the Terms & Conditions in full.

While we do accept all vulnerability reports, we only count points (used for the bounty leaderboard) for security vulnerabilities that match the following requirements:

  1. Reported vulnerability should not require Admin, Superadmin, or another similar custom high capability role user to exploit the vulnerability successfully;
  2. CVSS 3.1 Base Score for reported vulnerability should be at least 4.0 (CVSS 3.1);
  3. The person has reported more than three vulnerabilities that pass requirements per month.

Vulnerabilities that are still valid but don’t pass the requirements for bounties will be triaged, receive a CVE, processed, and published to the Patchstack Vulnerability database. More information is available in the Patchstack Alliance rules.

Right now, we have a guaranteed bounty pool of 2425 USD per month, and it’s growing.

Everyone can join the Patchstack Alliance as long as they are committed to making the WordPress ecosystem safer. By submitting at least one valid vulnerability report that meets the Patchstack Alliance vulnerability report submission requirements, you become a member of the Patchstack Alliance.

Community. We already have some of the best WordPress security talents so it might be interesting for you to join the discussions in our dedicated Discord channels.

Bounties. During our first year, we paid 18K in bounties.

We assign CVE IDs to your contributions. Receive credit for your findings in our WordPress vulnerability database.

The platform. Our reporting process and validation triage fast-track security patch creation for vendors, saving you time to do more research.

Patchstack Alliance is an open community of cyber security researchers, developers, pentesters, and bug bounty hunters who use our platform to research and report security issues in WordPress plugins to win monthly bounties, special competitions, and seasons.

Managed VDP and security auditing for WordPress plugin developers

The latest vulnerability data for WordPress hosts

Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.