The WordPress Bug Bounty program by Patchstack is something that we are proud of. We were the pioneers and icebreakers who revolutionized the WordPress ecosystem by starting the first public Bug Bounty program, which included all WordPress plugins/themes and even core in its scope. We were the first ones to offer bounties for vulnerabilities discovered in free WordPress components.
Since the program’s introduction in 2021, we have paid more than $80k+ in bounties. The program has evolved through many steps, starting with polishing the rules and making the competition between all researchers fair and open. With each upgrade, we have tried to make our WordPress Bug Bounty program more friendly, accessible to anyone, and generous to all deserving.
We always tried to put an accent on the community, and it paid off well. The Bug Bounty program was a trigger that gathered many people, like security researchers and developers to the Patchstack Alliance community, which is the backbone of the WordPress Bug Bounty program and is open to anyone on the Patchstack Alliance Discord server. Seeing so many people discussing, sharing information, and researching to make open-source software safer is a vision we always had on our minds.
We see that the Bug Bounty program has grown out of its former frame and needs another upgrade – and we are glad to announce that the Patchstack Bug Bounty program gets its most significant upgrade since its release in 2021!
Monthly competition and bounties
We have great news for all researchers competing in the monthly Bug Bounty program competitions. We thought what could be good enough to say that we really appreciate your input into WordPress security – and we got the idea! Monthly competition bounties will now be twice as big – double (2x). Also, we are introducing extra positions. From now on, the monthly competition will be for TOP 20 (instead of TOP 15). Oh, to mention, we have a guaranteed bounty pool of $8,800 for monthly competitions (the previous was $4,250).
| Position | Bounty |
| 1 | $2,000.00 |
| 2 | $1,400.00 |
| 3 | $800.00 |
| 4 | $600.00 |
| 5 | $500.00 |
| 6 | $400.00 |
| 7 | $400.00 |
| 8 | $400.00 |
| 9 | $400.00 |
| 10 | $400.00 |
| 11 | $200.00 |
| 12 | $200.00 |
| 13 | $200.00 |
| 14 | $200.00 |
| 15 | $200.00 |
| 16 | $100.00 |
| 17 | $100.00 |
| 18 | $100.00 |
| 19 | $100.00 |
| 20 | $50.00 |
| Random | $50.00 |
Zeroday program bounties
Patchstack Bug Bounty program researchers worldwide proved that they can find non-ordinary vulnerabilities that pose the highest risk to vulnerable software users and are exploitable due to their specific nature. Zeroday (0day) vulnerabilities are something special that we try to catch up on time and protect software users and website visitors from any malicious impact. To show how important it is for us and the WordPress ecosystem, we decided to increase the bounties we give for the Zeroday program, which is now up to $14,400 per valid report.
Also, we are introducing lower-range bounties for components with lower active install count. We will accept reports for the Zeroday program even if the vulnerable component has 5000+ active installations. And now, the fun part. These are the new bounties for the Zeroday program:
| Active installs | Unauthenticated | Subscriber/Customer |
| 5000+ | $150.00 | $75.00 |
| 10,000+ | $450.00 | $225.00 |
| 50,000+ | $900.00 | $450.00 |
| 100,000+ | $1,800.00 | $900.00 |
| 500,000+ | $3,600.00 | $1,800.00 |
| 1,000,000+ | $7,200.00 | $3,600.00 |
| 5,000,000+ | $14,400.00 | $7,200.00 |
Let’s celebrate!
Yes, let’s celebrate because why not? You remember those special events we had before and how intense the competition was. Let’s play again! Last time, we were looking for Cross-Site Scripting (XSS) vulnerabilities, but this time, let’s hunt for SQL Injection (SQLi) vulnerabilities.
Let’s call this special event “Back to SQL” because many researchers will soon return to their schools and universities at the beginning of September, so why not have some fun before that?
Rules are simple
- Time – from 1 August 2024 (00:00:01 UTC) to 31 August 2024 (23:59:59 UTC).
- Scope – SQLi vulnerabilities with severity not lower than 8.0 (excluding vulnerabilities requiring superadmin, admin, or any custom high privilege role) in components with 10K or more active installs with the last update not over three years old.
- Bounties: AXP x2 (will be counted for the monthly competition) + bounty per vulnerability if CVSS 8.x – $75, CVSS 9.X – $100, CVSS 10 – $150.
- For other rules check the WordPress Bug Bounty program guides and rules.
What’s next?
The biggest change coming soon is self-managed profiles for researchers. We are upgrading the way researchers can manage their profiles and see all their stats and reports. More surprises are coming, so stay in touch to get the latest news right away.
More information
Official announcements and program updates are disseminated via the Patchstack Alliance Discord server and official Patchstack social media channels at Patchstack Alliance Discord Server. If you need additional information, you can use a support ticket on the Patchstack Alliance Discord to ask for help.
Twitter(X) https://twitter.com/patchstackapp
Facebook https://www.facebook.com/patchstackapp
LinkedIn https://www.linkedin.com/company/patchtsack
