December WordPress Bug-Hunting Challenge

Published 5 December 2022
Updated 28 November 2024
Table of Contents

We are beyond excited to celebrate the winter holidays and the launch of the Patchstack Alliance Discord community with a special WordPress bug-hunting event taking place throughout December 2022.

In December, we released a public leaderboard and profiles for the top security researchers who contribute to making WordPress and the open-source web more secure.

WordPress Bug-Hunting

You can see the November WordPress bug-hunting winners and profiles here: https://patchstack.com/database/leaderboard?monthly=2

December prize pool is $4300 in cash rewards

WordPress Bug Hunting

On each Monday, we’ll announce the scope for the weekly WordPress bug-hunting focus. With 4 weeks of challenges and monthly prizes on top, we pay out $4300 in cash rewards!

Each week has a special vulnerability that needs to be hunted in any publicly available WordPress themes, plugins, or even in the core itself.

The top 3 researchers with the most points from each week will get cash rewards (1st place – $300, 2nd – $200, and 3rd – $100). All points will also be used for the monthly Patchstack Alliance competition, with an additional $1900 prize pool.

The first week (Dec. 5-11) – Cross-Site Request Forgery (CSRF) – finished!

1st place ($300 bounty) – Lana Codes reported 58x vulnerabilities (349.4 points)
2nd place ($200 bounty) – Muhammad Daffa reported 9x vulnerabilities (129 points)
3rd place ($100 bounty) – Cat reported 25x vulnerabilities (125.3 points)

The second week (Dec. 12-18) – Cross-Site Scripting (XSS) – finished!

1st place ($300 bounty) – minhtuanact reported 8x vulnerabilities (50.4 points)
2nd place ($200 bounty) – pilvar reported 1x vulnerabilities (31.5 points)
3rd place ($100 bounty) – Muhammad Daffa reported 2x vulnerabilities (21.5 points)

The third week (Dec. 19-25) – SQL injection (SQLi) – finished!

1st place ($300 bounty) – Le Ngoc Anh reported 2x vulnerabilities (16.8 points)
2nd place ($200 bounty) – minhtuanact reported 10x vulnerabilities (14.6 points)
3rd place ($100 bounty) – Lucio Sá reported 1x vulnerability (7.5 points)

The fourth week (Dec. 26-31) – Remote Code Execution (RCE) – finished!

1st place ($300 bounty) – minhtuanact reported 1x vulnerability (9 points)
2nd place ($200 bounty) – Le Ngoc Anh reported 1x vulnerability (8.5 points)
3rd place ($100 bounty) – none

More details on the Patchstack Alliance Discord

Claim your CVEs

Patchstack is an official CNA authorized by MITRE to assign CVE IDs to vulnerabilities reported through the Patchstack Alliance bug bounty program. We make sure the reports get to the developers and that all ethical hackers get credit for their research and contribution.

Join the community

Patchstack Alliance is a community of ethical hackers who contribute to making the entire web more secure. It’s a great place to learn new skills, make friends and create a portfolio of your security research.

For more information & rules, join our Discord server here: https://patchstack.com/bug-bounty/

The latest in Bug bounty

Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.
crossmenu