Everyone can submit vulnerability report(s) to the Patchstack Alliance if they make it as we require in the Patchstack Alliance rules. Reports must be submitted by this web form - https://patchstack.com/database/report.
All vulnerabilities submitted to the Patchstack Alliance project will be disclosed (once they got processed by Patchstack according to our vulnerability disclosure rules) to the Patchstack Vulnerability Database - a public and free vulnerability database https://patchstack.com/database/. We will allow everyone to access, save, share and use this information as we don't want to limit the spread of this information.
All vulnerabilities submitted by Patchstack Alliance members must be new and unique. It means all submitted vulnerabilities should not be reported or published anywhere before to ensure Patchstack Alliance will be the first and only recipient who will get the particular vulnerability report. We want to avoid duplicate CVE ID submissions or other possible issues that could waste our resources or harm our reputation. Vulnerabilities previously publicly disclosed, published, and reported elsewhere will be rejected.
All vulnerability reports should be submitted using the form available here - https://patchstack.com/alliance/. We don’t accept submissions by email or in another form. We accept only vulnerability reports for WordPress ecosystem components like WordPress core, plugins, and themes. We accept reports for all WordPress plugins and themes, regardless of whether they are free or premium. But remember that you must provide original (unaltered) premium software archives so we can use them for vulnerability validation.
The Patchstack Alliance adheres to a philosophy of ethical disclosure. Therefore, disclosing a vulnerability is pending until the software manufacturer publishes a patched version and most users update it on their websites. The aim is to minimize the negative impact that disclosure of vulnerabilities can cause. You can read more in Patchstack Vulnerability Disclosure Policy - https://patchstack.com/patchstack-vulnerability-disclosure-policy/
Patchstack will use the easiest way provided by vendors to contact them and report the vulnerability. If there’s no way to contact the vendor, we will report the vulnerable component to the repository it is hosted on. We will not create accounts on the vendor's provided support forums or ticketing systems. Also, we will not provide vulnerability data to third parties even if the vendor mentions them as authorized ones to get such information on behalf of the vendor.
We will disclose vulnerabilities on behalf of the author (we will use the name or nickname you provided and a link to your Twitter or another social account). However, we will add "(Patchstack Alliance)" to the author's name to publicity the whole project.
Make sure you provide all vulnerability details in your reports. All additional (unreported) vulnerabilities discovered during reported vulnerability validation or verification of patches applied by vendors will be published in the name of the in-house Patchstack researcher who will find these unreported issues.
Pay attention to the quality of your reports, and test them carefully before submitting them to the Patchstack Alliance. Incomplete reports will be rejected with the possibility of fixing the report two times. We will count the last fix date as the submission date, so if you submitted a report in June, but there were issues, and you updated information to fix the issue in July, we will count it as a report submitted in July.
Three reports rejected per month will lead to a cooldown period. We will not accept reports from such members for the next month.
What could cause rejection: incomplete report, invalid report, wrong data (missed vulnerability title, wrong vulnerability type, inaccurate payload, etc.), reports generated by non-standard user roles (doesn’t apply to custom user roles that come as a specific plugin user role), or roles with altered permissions.
We do not accept reports for closed plugins or themes. We reserve the right to reject vulnerability reports if the vulnerable component is not in WordPress, Envato, or other well-known repositories and is distributed from a private manufacturer repository.
We will not accept reports made by reported component vendors/developers/authors.
If we receive vulnerability reports for the same vulnerabilities from different members, we will assign them to the member who made the valid report submission first.
Competition, prize pool, and bounties
Anyone can compete for the prize pool prize as long as they submit legitimate and unique vulnerabilities, and Patchstack Alliance is the first and only recipient of particular information.
Patchstack guarantees a monthly prize pool of a minimum of $1500 as a general bounty pool and $400 as an additional prize pool for special bounties.
Patchstack Alliance accepts private bounty campaigns from software vendors. Vendors can offer additional bounties for vulnerabilities identified in their software products.
Patchstack Alliance member who will collect the most points for a particular month from his submitted reports will get the $300 bounty, the second one will get $200, and the third one will get $100. All other researchers who have submitted at least one valid vulnerability will get a $50 bounty (up to 21st place).
Limited Extra Bounties may be awarded that meet specific criteria. Each month extra bounties will be awarded for:
Reporting a valid security bug with the highest severity found in a semi-popular component. (Minimum 25.000 active installations, and 7.3 or higher CVSS ver. 3.1 base score.).
Reporting a valid security bug found in the most popular component. (Minimum 100.000 active installations and 6.1 or higher CVSS ver. 3.1 base score.).
Reporting an identical and valid security bug found in most components. (Minimum 10 components affected with over 10.000 active installations each, 5.4 or higher CVSS ver. 3.1 base score and the PoC must work identically on each affected component.).
Reporting the vulnerability that affects the library or other resources shared across multiple components. It must affect at least 50 components and have a CVSS ver. 3.1 score not lower than 3.8 (base score), each of which has at least 1000 active installs.
Patchstack can reward individual Patchstack Alliance members at their discretion based on the overall impact of the vulnerabilities they discover. The aim will be to reward members who have found high-impact vulnerabilities but have not reached the number of points that would guarantee a monthly competition prize (for example, outside the first three winning places).
Alliance members are not committed to finding a certain strict amount of vulnerabilities each month. Since it's not a strict contract, you can choose how much time you spend on this competition.
We pay bounties using the PayPal payment platform. Each member must take care of the administration of their PayPal account and the possibility of transferring money to the specified account. If your PayPal account is blocked, investigated, or frozen due to sanctions, Patchstack will attempt to transfer the money within a month, and after one-month bounty will be dropped back to the bounty pool. Patchstack is paying bounties through invoices. We don’t make payments without invoices. PayPal invoice money requests should include the following data:
It should be addressed to - Patchstack OÜ;
Payment purpose - "Security research (+ your name or nickname that you use on the Alliance platform)".
Two main parameters are used to calculate competition points:
CVSS (version 3.1) base score (you can try CVSS 3.1 calculator here - https://www.first.org/cvss/calculator/3.1) b) count of active installs (for premium products - count of sales). We do not use an exact number of active installs in the calculation. Instead, we have groups that represent ranges. The group number acts as a multiplier in the overall points calculation. We take the CVSS base score and multiply it by the multiplier representing a range of active installs (sales). Ranges:
x1 - from 1000 to 25K active installs;
x2 - from 25k active installs;
x3 - from 50K active installs;
x4 - from 100K active installs;
x5 - from 200K active installs;
x6 - from 400K active installs;
x7 - from 800K active installs;
x8 - from 1.6 million active installs;
x9 - from 3,2 million active installs;
x10 - from 5 million active installs.
x20 - WordPress core
When calculating the points for each reported vulnerability, we will apply the coefficient by privilege-required parameter:
x2 - unauthenticated;
x1 - subscriber and customer (WooCommerce);
x0,75 - contributor;
x0,5 - author and editor;
x0,25 - Shop Manager (WooCommerce)
x0 - admin, superadmin
Also, we will apply the coefficient by vulnerability type parameter:
If it is impossible to determine the number of active installations or sales, we will try to resolve it using the means available (Google, Public WWW).
We will count points for each month strictly from the first month's day to the last one. The result will be revealed as soon as possible (at least by the end of the next month because sometimes we need extra time to validate reports sent to us on the last days of the month). Payments are made in a period of 30 days after the results are published.
We will use UTC time as the main time format, so please keep in mind the difference according to your local time.
We will accept vulnerabilities that require an attacker to have admin or higher user roles (similar custom roles or lower roles with altered permissions). Still, these will be used only to disclose them in the Patchstack Vulnerability Database. CVE ID will be assigned. Still, no points for the monthly Alliance competition will be calculated.
We are not accepting CSV injection vulnerabilities as they require a lot of steps to be made outside the vulnerable application and server that hosts it. From the perspective of WordPress, it’s impossible to evaluate the success and severity of the attack.
We will accept vulnerabilities for components with less than 1000 active installs. Still, these will be used only to disclose them in the Patchstack Vulnerability Database and assign them CVE IDs. Still, no points for the monthly Patchstack Alliance competition will be calculated.
CVE IDs will be assigned as soon as the vulnerability will be validated by Patchstack, up to two weeks in case of the large number of reports submitted. CVE IDs will be published once we disclose the vulnerability to the Patchstack vulnerability database (30 days from the report validation day).
Members could get more score points (x1.5) for highly detailed advisories on their discovered vulnerabilities if they have a high CVSS 3.1 base score (7.5 or higher). Before creating such a detailed advisory, you must inform Patchstack to discuss the details.
Patchstack Alliance is an open community of cyber security researchers, developers, pentesters, and bug bounty hunters (hereafter in the text - members).
Everyone can join the Patchstack Alliance as long as they are committed to making the WordPress ecosystem safer and satisfying other Patchstack Alliance bounty program requirements.
By submitting at least one valid vulnerability report that meets the Patchstack Alliance vulnerability report submission requirements, you get the right to become a member of the Patchstack Alliance.
Membership is not mandatory. We will accept reports and assign CVE IDs for your reported vulnerabilities whether you are a member of the Patchstack Alliance or not.
If you decide to stay incognito, we will not ask for additional information. However, getting bounties involves the invoicing process, and it means you still will need to provide some personal data.
Each Patchstack Alliance member will have his own public profile page on the Alliance platform website. The profile will include basic information about the member and all the data related to member activities related to Patchstack Alliance (research points, discovered vulnerabilities, achievements badges, social links, CVE IDs).
We will ask members to provide the basic information necessary for their public profiles on the Patchstack Alliance website, like name or nickname and social profile link (Twitter, Reddit, GitHub, or any other).
We have not set an age limit, but members must ensure they can legally accept bounties in their local jurisdiction.
Each member is responsible for the tax obligations for payouts received through the Patchstack Alliance.
Patchstack Alliance members may be asked to give interviews as we want to introduce Patchstack Alliance members to the public for transparency and project promotion purposes.
We expect common sense, responsibility, and abstinence from actions that may, in one way or another, damage the image of the Patchstack Alliance project.
Patchstack reserves the right to expel any member from the Patchstack Alliance member list for unethical or malicious acts that may affect Patchstack and Patchstack Alliance's image, even if malicious acts are not directly related to the Patchstack Alliance activities.
What Patchstack offers
First of all, we offer a competition that allows you to win actual money and prizes for discovering vulnerabilities.
We offer publicity. We will make everything to show the world how good you are at hunting vulnerabilities.
The WordPress community will praise you for your discoveries.
You'll get your Patchstack Alliance profile page (coming soon) that will show all your achievements. An excellent way to show everyone your skill level.
Blog posts, database entries, and other link and traffic sources to your social profiles. We don't want to hide you. We want everybody to know who are the Patchstack Alliance members.
Trust us, you'll meet fascinating people here, and this competition might be a jump start for your career.
Share and gain knowledge. Patchstack Alliance is not just about the competition. It's about the people and community.