UPDATE: As of 2022, Patchstack Red Team is known as Patchstack Alliance
Patchstack Red Team is a community of independent security researchers who contribute to building a safer web.
Red Team members identify and report security vulnerabilities in WordPress plugins and themes to help software vendors address security issues before they pose risk to users and to the public.
May prize pool increased to $1300 USD
Security researchers who report vulnerabilities to the Patchstack database are being paid for their findings.
Patchstack, with the help of supporters, has put together a monthly prize pool that has been increasing month over month. For example, the total prize pool paid out for April findings was $1100 USD.
In May 2021 the prize pool has increased to $1300 USD with help of the following supporters:
If you wish to contribute to the initiative to help us build a security community behind WordPress – then reach out here!
156 vulnerabilities found in April by Patchstack Red Team
Patchstack Red Team community is growing as new members are joining. The vulnerability reports have been doubled since March. While many of these vulnerabilities are disclosed at Patchstack database – a large number of them are still about to get patched by the developers.
Here are some statistics from the vulnerabilities reported in April.
Reported vulnerability types:
- XSS – 106
- CSRF – 16
- SQLi – 15
- RCE – 9
- Other – 10
The most popular plugin had 5+ million installs, smallest plugin 370 active installs (not only big projects are being audited). There were six plugins with more than 1 million active installs with a total of 9 vulnerabilities discovered.
Top 5 Patchstack Red Team members:
- m0ze (1214 points) total 61 vulnerabilities;
- Nguyen Van Khanh (Sun* R&D Lab) (721 points) total 44 vulnerabilities;
- Lenon Leite (556 points) total 35 vulnerabilities;
- Ngo Van Thien (Sun* R&D Lab) (240 points) total 11 vulnerabilities;
- Nguy Minh Tuan (Sun* R&D Lab) (83 points) total 4 vulnerabilities;
Patchstack Red Team community is growing
For the past months, Patchstack Red Team members have been hand-picked. Due to a large number of applications by security researchers who want to get involved, we have now opened it up to the public.
If you wish to make the WordPress ecosystem more secure, contribute your skills, get exposure as a researcher and get part of that prize pool – check here!
If you’re a hosting company, plugin developer, or agency serving the WordPress ecosystem and wish to contribute to building a security community behind WordPress – reach out here!