Our mission to provide the fastest mitigation to security vulnerabilities is core to our long-term vision of becoming a global cyber-security leader with the biggest impact on open-source security. Today, we are excited to finally reveal the next chapter of our journey.
We truly believe that the only way to reach a dream so ambitious is to work closely together with the entire open-source community. Patchstack already works closely with the leading digital agencies and web hosting companies in the world – and now it’s time to work with plugin developers to level up the ecosystem security standards together.
Patchstack has been the pioneer of next-gen WordPress security for many years now. 4 years ago, we launched the first open bug bounty program for all WordPress plugins and recently we paid out the highest-ever bounty of $14,400 for a single WordPress plugin vulnerability. In 2023, 73% of all (5,948) vulnerabilities were originally published by Patchstack and in 2024, we are on track for another record-breaking year.
We are not just the leading WordPress vulnerability intelligence provider, but in 2023 Patchstack also ranked #1 as the most active CNA (CVE naming authority) globally – processing and triaging the largest volume of software security vulnerabilities in a single year. This requires significant work and is not possible without carefully optimized processes and automation – especially when the vulnerability disclosures have to be coordinated with every stakeholder.
Our knowledge and professionalism are backed by hundreds of plugin developers such as Elementor, WProcket, YITH, RankMath, ACF, and many others who have chosen Patchstack as their official security partner. Today, we expand this to everyone, for free!
Bringing new security standards to the WordPress ecosystem
Patchstack’s managed VDP platform is built in collaboration with the European Union to help open-source software companies become compliant with the upcoming Cyber Resilience Act.
It is available to all open-source projects built around WordPress and WooCommerce platforms and hosted in any public repository such as WordPress plugins repository, GitHub, Envato marketplace and more.
The Patchstack VDP platform includes a central dashboard with an overview of all current and past security reports affecting your plugins. Each plugin/software receives its own VDP (vulnerability disclosure program) page to which potential security issues can be reported. All reports will be first validated by Patchstack and collected in the main dashboard, prioritized and filtered based on required action and severity.
CRA compliance for plugin developers
The Cyber Resilience Act (CRA) introduced obligatory software support and vulnerability disclosure guidelines for all commercial software with users in the European Union. The law is expected to be passed in Q4 2024.
The Patchstack VDP platform helps automate the following CRA compliance requirements:
- Requirement: Set up a vulnerability disclosure policy (VDP)
- Requirement: Share data with EU vulnerability database
- Requirement: Notify users about new vulnerabilities
- Requirement: Notify users about vulnerability exploits
- Requirement: Provide security updates separately from functional updates
The Patchstack VDP platform helps improve the overall security of your software through the following services:
- Patchstack provides a secure and streamlined channel for sensitive security reports
- Patchstack validates all vulnerabilities to cut off noise and “beg bounty” reports
- Patchstack coordinates vulnerability disclosure between all involved parties
- Patchstack verifies all patches before they are released to avoid incomplete fixes
- Patchstack offers guidelines and consulting to simplify & de-risk disclosures
- Additionally, Patchstack provides full code review and security auditing services (paid).
If you’re a developer or a product company and have a plugin built for WordPress – get started and set up your security program here!
Need help? Our documentation covers the entire process.
