⚠️ Attention! Update to rules that will take effect from February 1st, 2024.
- PHP Object Injection and Insecure Deserialization vulnerabilities will get a 2x AXP boost.
- Remote Code Execution (RCE), Arbitrary file upload, and Local File Inclusion (LFI) will get a 3x AXP boost.
- Auth. Contributor+ Shortcode Preview is out of scope, and such reports are no longer accepted unless sensitive or security-related information is disclosed, like PII (valid and measurable security impact). Patchstack keeps the right to reject selected reports from this category. The ability to preview/execute a shortcode usually exposes no sensitive information, in the case it does, you can still report it. Note that this is not related to Cross-Site Scripting (XSS) and we still accept those.
- Reports for CSRF or Broken Access Control vulnerabilities leading to the Dismissal of Notice are no longer eligible to receive AXP unless the Dismissal of Notice has a valid and measurable impact. Patchstack keeps the right to reject selected reports from this category.
ℹ️ Reports with Reflected Cross-Site Scripting (XSS) vulnerabilities on 2024 February will get x1.75 more AXP points.
- Patchstack runs an open bug bounty program focused on the WordPress ecosystem - https://patchstack.com/bug-bounty/.
- We are using UTC as the main time format.
- Patchstack reserves the right to change these rules at any time without prior notice.
- All valid vulnerabilities reported to the Patchstack bug bounty program will get the CVE ID assigned and later published if there is no collision with other CVE IDs.
- Everyone can submit vulnerability report(s) to the Patchstack Bug Bounty program –https://patchstack.com/bug-bounty/ if they agree and follow the Patchstack Bug Bounty program rules.
- Reports must be submitted using this web form: https://patchstack.com/database/report. We don’t accept submissions by email or in another form.
- We accept only vulnerability reports for WordPress ecosystem components like WordPress core, plugins, and themes.
- We accept reports for all WordPress plugins and themes, regardless of whether they are free or premium.
- If you’re reporting a vulnerability in the premium component, you must provide the original (unaltered) premium component archive so we can validate the reported vulnerability.
- All vulnerabilities submitted must be new and unique. It means all submitted vulnerabilities should not be reported (except those cases when you want to report it directly to the vendor before reporting the vulnerability to the Patchstack) or published anywhere else to ensure Patchstack will be the first and only recipient to access the vulnerability report. This does not apply to vulnerability reports submitted via Patchstack mVDP program for vulnerabilities that are being reported behalf of another bug bounty program.
- We want to avoid CVE ID collisions, so reports for the vulnerabilities previously publicly disclosed, published, and reported elsewhere will be rejected. This does not apply to vulnerability reports submitted via Patchstack mVDP program for vulnerabilities that are being reported behalf of another bug bounty program.
- Make sure you provide all vulnerability details in your reports. All additional (unreported) vulnerabilities discovered during reported vulnerability validation or verification of patches applied by vendors will be published in the name of the researcher who will find these unreported issues.
In case of reports submitted via Patchstack mVDP program for vulnerabilities that are being reported behalf of another bug bounty program, the details of the original researcher can be set to "undisclosed".
- Pay attention to the quality of your reports and test them carefully before submitting them to the Patchstack bug bounty program. Incomplete reports will be rejected with the possibility of fixing the report two times. We will count the last fix date as the submission date, so if you submitted a report in June, but there were issues, and you updated information to fix the issue in July, we will count it as a report submitted in July.
- Three reports rejected per month will lead to a cooldown period. We will not accept reports from such members for the current and next month.
- What could cause rejection: incomplete report, invalid report, wrong data (missed vulnerability title, wrong vulnerability type, inaccurate payload, etc.), reports generated by non-standard user roles (except user roles that come as a default specific plugin user role), or roles with altered permissions.
- We do not accept reports for closed plugins or themes. At the time of the report, the component should be fully accessible on the repository. This does not apply to vulnerability reports submitted via Patchstack mVDP program and for vulnerabilities that are being reported behalf of another bug bounty program.
- We reserve the right to reject vulnerability reports if the vulnerable component is not in WordPress, Envato, GitHub, or other well-known repositories and is distributed from a private vendor repository.
- We will not accept reports made by reported component vendors/developers/authors.
- If we receive vulnerability reports for the same vulnerabilities from different members, we will assign them to the member who submitted the valid report first.
- We will accept vulnerabilities for components with less than 1000 active installs. However, these will be used only to report them to the vulnerable software vendor and disclose them in the Patchstack Vulnerability Database. Note that these vulnerabilities, if valid, will get the CVE IDs, but no XP points for the monthly Patchstack bug bounty competition will be calculated. This does not apply to vulnerability reports submitted via Patchstack mVDP program for vulnerabilities that are being reported behalf of another bug bounty program.
Research points (XP)
- XP are research points you get for the valid vulnerabilities you report to the Patchstack Bug Bounty program.
- XP is used to determine the winners of each event organized by Patchstack.
- Several parameters are used to calculate competition points:
- CVSS (version 3.1) base score (you can try CVSS 3.1 calculator here - https://www.first.org/cvss/calculator/3.1)
- Count of active installs (for premium products - count of sales). We do not use an exact number of active installs in the calculation. Instead, we have groups that represent ranges. The group number acts as a multiplier in the overall points calculation. We multiply the CVSS base score by the multiplier representing a range of active installs (sales). Ranges:
- x1 - from 1000 to 25K active installs;
- x2 - from 25k active installs;
- x3 - from 50K active installs;
- x4 - from 100K active installs;
- x5 - from 200K active installs;
- x6 - from 400K active installs;
- x7 - from 800K active installs;
- x8 - from 1.6 million active installs;
- x9 - from 3.2 million active installs;
- x10 - from 5 million active installs.
- x20 - WordPress core
- When calculating the points for each reported vulnerability, we will apply the coefficient by privilege-required parameter:
- x2 - unauthenticated;
- x1 - subscriber and customer (WooCommerce);
- x0.75 - contributor;
- x0.5 - author and editor;
- x0.25 - Shop Manager (WooCommerce)
- x0 - admin, superadmin
- Also, we will apply the coefficient by vulnerability type parameter:
- x3 - Remote Code Execution (RCE), Arbitrary file upload, Local File Inclusion (LFI); ⚠️ New!
- x2 - PHP Object Injection and Insecure Deserialization; ⚠️ New!
- x1.5 - SQL Injection (SQLi), Arbitrary file download/deletion, Privilege escalation;
- x0.25 - Cross-Site Request Forgery (CSRF);
- x0.2 - Race Condition;
- If it is impossible to determine the number of active installations or sales, we will resolve it using the means available (Google, Public WWW).
- We will count XP points for each month strictly from the first month's day to the last (UTC zone) or for the announced custom event time range.
- The results will be visible all the time on the monthly scoreboard - https://patchstack.com/database/leaderboard
- Remember that final results will be available only once all reports are validated, and final results are announced on the Patchstack Alliance Discord server or other official Patchstack source.
- Members could get more score points (x1.5) for highly detailed advisories on their discovered vulnerabilities if they have a high CVSS 3.1 base score (7.5 or higher). Before creating such a detailed advisory, you must inform Patchstack to discuss the details.
- We will accept vulnerabilities that require an attacker to have admin or higher user roles (similar custom roles). However, these will be used only to report them to the vulnerable software vendor and disclose them in the Patchstack Vulnerability Database. CVE ID will be assigned, but, no XP points for the monthly Patchstack bug bounty competition or custom event will be calculated.
- We are not accepting CSV injection vulnerabilities as they require a lot of steps to be made outside the vulnerable application and server that hosts it. From the perspective of WordPress, it’s impossible to evaluate the success and severity of the attack.
- We do not accept IP spoofing as a vulnerability if it does not directly impact a feature that relies on it, such as IP blocking.
- We are not accepting the “Race Condition” vulnerabilities with CVSS (3.1) Base Score lower than 7.0.
- Auth. Contributor+ Shortcode Preview is out of scope, and such reports are no longer accepted unless sensitive or security-related information is disclosed, like PII (valid and measurable security impact). Patchstack keeps the right to reject selected reports from this category. The ability to preview/execute a shortcode usually exposes no sensitive information, in the case it does, you can still report it. Note that this is not related to Cross-Site Scripting (XSS) and we still accept those. ⚠️ New!
- Reports for CSRF or Broken Access Control vulnerabilities leading to the Dismissal of Notice are no longer eligible to receive AXP unless the Dismissal of Notice has a valid and measurable impact. Patchstack keeps the right to reject selected reports from this category. ⚠️ New!
- Patchstack will use the easiest way provided by vendors to contact them and report the vulnerability. If there’s no way to contact the vendor, we will report the vulnerable component to the repository it is hosted on. We will not create accounts on the vendor's provided support forums or ticketing systems. Also, we will not provide vulnerability data to third parties even if the vendor mentions them as authorized ones to get such information on behalf of the vendor.
- CVE IDs will be assigned as soon as we know there’s no possible CVE collision.
- All vulnerabilities submitted to the Patchstack bug bounty program will be disclosed (once they get processed by Patchstack according to our vulnerability disclosure rules) to the Patchstack Vulnerability Database - a public and free vulnerability database https://patchstack.com/database/. We will allow everyone to freely access, save, and share (with a reference link to the original source) this information for personal use.
- Patchstack adheres to a philosophy of ethical disclosure. Therefore, disclosing a vulnerability is pending until the software manufacturer publishes a patched version and most users update it on their websites. The aim is to minimize the negative impact that disclosure of vulnerabilities can cause. You can read more in Patchstack Vulnerability Disclosure Policy - https://patchstack.com/patchstack-vulnerability-disclosure-policy/
- Also, we ask researchers not to disclose any reported vulnerability information to 3rd parties or public access before it is disclosed in the Patchstack Vulnerability Database.
- Suppose the software manufacturer takes no action and ignores the information received for 30 days. The vulnerability will be disclosed and might be reported to the WordPress Security Team (https://developer.wordpress.org/plugins/wordpress-org/plugin-security/reporting-plugin-security-issues/).
- The disclosure date can be postponed by Patchstack unilateral decision for components in the Patchstack mVDP program. For all other components default 30-day rule applies.
- We will disclose vulnerabilities on behalf of the researcher (we will use the name or nickname you provided and a link to your Twitter or another social account). However, we will add "(Patchstack Alliance)" to the author's name for the publicity for the bug bounty program & Patchstack Alliance community.
- CVE IDs will be published to the CVE global CVE database once we disclose the vulnerability to the Patchstack vulnerability database.
Anyone can compete for the prize pool prize if they submit legitimate and unique vulnerabilities as required in the Patchstack bug bounty program rules.
- Patchstack has a monthly bug bounty competition. Anyone can submit vulnerability reports to compete and receive bounties for research.
- Monthly competitions start on the first day of the month at 00:00 (UTC) and end at midnight on the last day of the month.
- You can see the preliminary results of the current month at https://patchstack.com/database/leaderboard. Also, you can see the historical data by selecting the year and month from the dropdown list.
- The final results are announced on the Patchstack Alliance Discord server.
- Patchstack holds custom events through-out the year. Events are announced on the Patchstack Alliance Discord server.
- The default Patchstack bug bounty program rules apply to custom events if not overridden by specific rules for the particular event.
- Patchstack also offers private bounty campaigns from software vendors. Vendors can offer additional bounties for vulnerabilities identified in their software products, which are enrolled in the Patchstack mVDP program.
Patchstack can reward individual ethical hackers at their discretion based on the overall impact of the vulnerabilities they discover. The goal is to reward research and effort towards high-impact vulnerabilities and compensate quality in addition to quantity.
Requirements for the Patchstack Zeroday bounties:
- The plugin has an active VDP listed on patchstack.com/database/vdp/.
- Vulnerability leads to a full site compromise (ability to upload & access a functional backdoor).
- Exploitable with Unauthenticated (none), or non-higher than Subscriber/Customer (WooCommerce) user roles.
- The report includes a working exploit.
- No prerequisites (default settings / most common environment / does not need any other vulnerability to be present).
- Exploitation does not require a user interaction.
Patchstack offers a monthly guaranteed bounty pool of $4,200. Each month, the total prize pool will be paid out based on the results from the final leaderboard. The monthly bounty pool is split in this way:
Ethical hackers receive passive rewards for accumulating XP and leveling up. The XP is counted from bug-hunting competitions, custom events, and from the Patchstack Zeroday bounties.
Starting from Level 2, researchers will unlock rewards:
|$500 + Mystery Box
|$1337 + Mystery Box
- We pay bounties via the PayPal payment platform.
- Each researcher must take care of the administration of their PayPal account and the possibility of transferring money to the specified account.
- Each researcher is responsible for the tax obligations for payouts received through the Patchstack bug bounty program.
- If your PayPal account is blocked, investigated, or frozen due to sanctions, Patchstack will attempt to transfer the money within a month, and after one month bounty will be dropped back to the bounty pool.
- Patchstack is paying bounties by invoices. We don’t make payments without invoices. PayPal invoice money requests should include the following data:
- Full name;
- It should be addressed to - Patchstack OÜ;
- Payment purpose - "Security research (+ your name or nickname that you use on the bug bounty program)".
- Additional details are always provided via email.
- Payments are made in 30 days after the final results are announced.
- Patchstack Alliance is an open community of cyber security researchers, developers, pentesters, and bug bounty hunters (hereafter in the text - members).
- Everyone can join the Patchstack Alliance if they are committed to making the WordPress ecosystem safer and satisfying other Patchstack bug bounty program requirements.
- By submitting at least one valid vulnerability report that meets the Patchstack bug bounty program vulnerability report submission requirements, you get access to the Discord member-only section of the Patchstack Alliance community.
- Membership is not mandatory. We will accept reports and assign CVE IDs for your reported vulnerabilities whether you are a member of the Patchstack Alliance or not.
- If you decide to stay incognito, we will not ask for additional information. However, getting bounties involves invoicing, so you still need to provide some personal data.
- Each Patchstack Bug Bounty ethical hacker will have a public profile page on the bug bounty program.
- The profile will include basic information about the member and all the data related to member activities related to the Patchstack bug bounty program (research points, discovered vulnerabilities, achievements badges, social links, CVE IDs).
- We will ask members to provide the basic information necessary for their public profiles on the Patchstack bug bounty program, like name or nickname and social profile link (Twitter, Reddit, GitHub, BuyMeACoffee link, or any other).
- We have not set an age limit, but members must ensure they can legally accept bounties in their local jurisdiction.
- Patchstack Alliance members may be asked to give interviews as we want to introduce Patchstack Alliance members to the public for transparency and program promotion purposes.
- We expect common sense, responsibility, and abstinence from actions that may, in one way or another, damage the Patchstack brand, the bug bounty program, or the Patchstack Alliance community.
- Patchstack reserves the right to expel any member from the Patchstack Alliance member list for unethical or malicious acts that may affect Patchstack and Patchstack Alliance's reputation, even if malicious acts are not directly related to the Patchstack Alliance community or our bug bounty program.
- Patchstack reserves the right to remove access to the private Alliance members channel on the Patchstack Alliance Discord server for inactive users (inactive for more than 3 months)
- All announcements related to the Patchstack bug bounty program will be released on the Patchstack Alliance Discord server at https://discord.gg/rkE8yxtNmS
- Additionally, information about the Patchstack bug bounty program, events, results, activities, and some announcements will be published on official Patchstack pages at:
- If you need additional information, you can ask for help via email at firstname.lastname@example.org or create a support ticket on the Patchstack Alliance Discord - https://discord.gg/rkE8yxtNmS.
What Patchstack offers
- First, we offer a competition that allows you to win money and prizes for discovering vulnerabilities.
- We offer publicity. We will do everything possible to show the world how good you are at hunting vulnerabilities.
- The WordPress community will praise you for your discoveries.
- You'll get your Patchstack Bug Bounty profile page showing all your achievements. An excellent way to show everyone your skill level.
- Blog posts, database entries, and other link and traffic sources to your social profiles. We don't want to hide you. We want everybody to know who the Patchstack Alliance members are.
- Trust us, you'll meet fascinating people here, and this competition might be a jump start for your career.
- CVE IDs for all valid reports. There’s no better way to prove your skills.
- Share and gain knowledge. The Patchstack bug bounty program is not just about the competition. It's about the people and community.