Start FREE
Back to all articles
Updated: 12.05.2022
December WordPress Bug Hunting Challenge has a $4300 prize-pool
Sander
from patchstack

We are beyond excited to celebrate the winter holidays and launch of Patchstack Alliance Discord community with a special bug hunting event taking place throughout December 2022.

In December, we released public leaderboard and profiles for the top security researchers who contribute into making WordPress and the open-source web more secure.

You can see the November winners and profiles here: https://patchstack.com/database/leaderboard?monthly=2

December prize-pool is $4300 in cash rewards

On each Monday, we’ll announce the scope for the weekly bug hunting focus. With 4 weeks of challenges and a monthly prizes on top, we pay out $4300 in cash rewards!

Each week has a special vulnerability that needs to be hunted in any publicly available WordPress themes, plugins or even in the core itself.

The top 3 researchers with the most points from each week will get cash rewards (1st place - $300, 2nd - $200, and 3rd - $100). All points will also be used for the monthly Patchstack Alliance competition, with an additional $1900 prize-pool.

The first week (Dec. 5-11) - Cross-Site Request Forgery (CSRF) - finished!

1st place ($300 bounty) - Lana Codes reported 58x vulnerabilities (349.4 points)
2nd place ($200 bounty) - Muhammad Daffa reported 9x vulnerabilities (129 points)
3rd place ($100 bounty) - Cat reported 25x vulnerabilities (125.3 points)

The second week (Dec. 12-18) - Cross-Site Scripting (XSS) - finished!

1st place ($300 bounty) - minhtuanact reported 8x vulnerabilities (50.4 points)
2nd place ($200 bounty) - pilvar reported 1x vulnerabilities (31.5 points)
3rd place ($100 bounty) - Muhammad Daffa reported 2x vulnerabilities (21.5 points)

The third week (Dec. 19-25) - SQL injection (SQLi) - finished!

1st place ($300 bounty) - Le Ngoc Anh reported 2x vulnerabilities (16.8 points)
2nd place ($200 bounty) - minhtuanact reported 10x vulnerabilities (14.6 points)
3rd place ($100 bounty) - Lucio Sá reported 1x vulnerability (7.5 points)

The fourth week (Dec. 26-31) - Remote Code Execution (RCE) - finished!

1st place ($300 bounty) - minhtuanact reported 1x vulnerability (9 points)
2nd place ($200 bounty) - Le Ngoc Anh reported 1x vulnerability (8.5 points)
3rd place ($100 bounty) - none

More details on the Patchstack Alliance Discord

Claim your CVEs

Patchstack is an official CNA authorised by MITRE to assign CVE IDs to vulnerabilities reported through the Patchstack Alliance bug bounty program. We make sure the reports get to the developers and that all ethical hackers get credit for their research and contribution.

Join the community

Patchstack Alliance is a community of ethical hackers who contribute into making the entire web more secure. It’s a great place to learn new skills, make friends and create a portfolio of your security research.

For more information & rules, join our Discord server here: https://patchstack.com/alliance/

Share This Article
Related Articles
View All
Multiple Authenticated SQL Injection Fixed In WP Statistics Plugin Version
Solving Unpredictable WP-Cron Problems, Addressing CVE-2023-22622
Patchstack Weekly #57: Expanding Your Idea of Security
1 2 3 63

All solutions

WordPress securityPlugin auditingVulnerability databaseVulnerability API
Bug bounty program

WordPress security

Patchstack for WordPress
For agencies
For hosts
For plugins
NEW
Pricing & featuresDocumentation

Patchstack

About usCareersMedia kitArticles & insightWhitepaper 2021
DPAPrivacy PolicyTerms & Conditions
© 2023 Patchstack
Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.
crossmenu