We are thrilled to finally announce that as of June 2021, Patchstack has been named by the Common Vulnerabilities and Exposures (CVE®) Program as a CNA (CVE Numbering Authority).
As a CVE Numbering Authority, Patchstack is authorized to assign CVE IDs for new vulnerabilities submitted by Patchstack Red Team for WordPress Core, WordPress Plugins, WordPress Themes, and other PHP components.
Researchers who submit new vulnerabilities to Patchstack Database will be assisted by our team to validate the vulnerability, to reach out to the developer for proper fixes, and ultimately if applicable Patchstack will assign the CVE ID to the original researcher.
CVE is an international, community-based effort and relies on the community to discover vulnerabilities. The vulnerabilities are discovered then assigned and published to the CVE list.
The CVE List is built by CVE Numbering Authorities (CNAs). Every CVE Record added to the list is assigned by a CVE Numbering Authority (CNA).
Partners (such as Patchstack) publish CVE Records to communicate consistent descriptions of vulnerabilities. Information technology and cybersecurity professionals use CVE Records to ensure they are discussing the same issue and to coordinate their efforts to prioritize and address the vulnerabilities.
Patchstack Red Team is a bug hunting community of independent security researchers who help strengthen the WordPress ecosystem by looking for security vulnerabilities in WordPress core, themes, and plugins.
We believe that the WordPress ecosystem needs a strong security community that involves independent security researchers, WordPress security vendors, hosting companies, and anyone else who serves the WordPress ecosystem.
If the community comes together and shares the information and supports each other, we not only keep our customers safer but move the whole WordPress ecosystem towards a brighter, safer future!
Anybody can report new vulnerabilities to Patchstack. Everybody who has reported 3 or more valid vulnerabilities to Patchstack Database will also receive an invitation to become a member of the Patchstack Red Team.
All reports that have been validated will follow our responsible disclosure policy and will be made publicly available on Patchstack Database. Credit will always go to original researchers!
Read an interview with one of the Patchstack Red Team member, m0ze.
The mission of the Common Vulnerabilities and Exposures (CVE®) Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.
There is one CVE Record for each vulnerability in the catalog. The vulnerabilities are discovered then assigned and published by organizations from around the world that have partnered with the CVE Program.
Partners publish CVE Records to communicate consistent descriptions of vulnerabilities. Information technology and cybersecurity professionals use CVE Records to ensure they are discussing the same issue and to coordinate their efforts to prioritize and address the vulnerabilities.