Today, we are super excited to launch the new version of the Patchstack mVDP platform, which now comes with an AI-based code review tool, team management features and a discussion board that helps plugin developers improve their code faster.
With more and more software being generated by AI, we are witnessing a significant increase in new vulnerabilities and an equal increase in AI-generated security reports, which makes managing the security of plugins more important than ever.
Complete security suite for plugins
While our managed VDP remains free to all plugin developers, we are introducing a new Security Suite tier, priced at $75 a month. This includes $40 worth of AI tokens for code security reviews per month. Additional AI credits can be purchased if needed.
When working with hundreds of plugin developers and managing VDPs for more than 700 plugins, we’ve learned that in many cases, more than one developer needs to access the same reports. To make sharing information and access less painful and more secure, the Security Suite plan comes with a team management feature with 5 seats included by default.
Another widely requested feature has been the ability to use Patchstack as a secure channel whenever there is a need to communicate directly with the vulnerability reporter. For that, the Security Suite tier includes a discussion board where you can directly chat with the researcher who reported an issue.
AI code review 🤝 human research
The new Security Suite tier combines the best of both worlds. Your plugins will receive boosted visibility (100% AXP bonus) in the Patchstack Alliance ethical hackers community, which encourages security researchers to report significantly more bugs and help plugins fix more vulnerabilities faster.
Additionally, our AI code review tool can scan through your entire codebase to find WordPress-specific security issues and highlight potential improvements. We are currently launching this in beta, but we’ll have much many releases to share in the coming months.

Also, all Security Suite users will get patch recommendations from our internal security research team, regardless of whether the vulnerability was reported by a human or discovered with the AI scanner.
This means that not only will you speed up your vulnerability management process, but you’ll also be able to release fixes faster.
Don’t leave CRA compliance to the last minute
As you may know already, the Patchstack mVDP platform was built with the support of the European Union. At the end of 2024, the European Union passed the Cyber Resilience Act (CRA), which will hold software vendors accountable for the security of their products.
This will also affect many WordPress plugins (all commercial plugins, or plugins maintained by a legal entity). Patchstack helps WordPress plugins become CRA-compliant by setting up a secure VDP, coordinating vulnerability disclosures, and reporting vulnerabilities to the European vulnerability database (managed by ENISA).
Cyber Resilience Act penalties are almost identical to those of GDPR. The deadline for first compliance is already in 2026. You can read more about CRA requirements and compliance here.