Patchstack Red Team: 1067 Vulnerabilities And $7700 In Bounties

Published 20 September 2021
Updated 19 July 2023
Oliver Sild
CEO at Patchstack
Table of Contents

UPDATE: As of 2022, Patchstack Red Team is known as Patchstack Alliance

This is a Patchstack Red Team report for September 2021.

In March 2021, Patchstack announced Patchstack Red Team – a community of independent security researchers who seek vulnerabilities within WordPress plugins, themes, and core.

We’ve been taking the first half of the year slowly, hand-picking the most active researchers and listening to their interests and needs.

1067 security vulnerabilities reported to developers

Within the first 6 months alone, Patchstack Red Team has identified 1067 unique security vulnerabilities found across WordPress plugins, themes, and core.

The most popular vulnerabilities tend to be XSS, CSRF, Privilege escalation, Broken Authentication, and SQL Injection.

A single researcher reports an average of 24.87 new vulnerabilities per month. Some of the plugins/themes had more than 5 million active installations while several had less than 1000 active installations.

Security researchers from 11 different countries

Our Red Team has an active community of security researchers that come together from 11 different countries, such as:

  • Germany
  • France
  • Vietnam
  • Brazil
  • Portugal
  • Russia
  • Columbia
  • Netherlands
  • India
  • Malaysia
  • Thailand

On average, 2 new security researchers join the community every month. It’s a great way for security researchers to get CVE’s and get paid for making the WordPress ecosystem more secure.

In August 2021, we also introduced Hackuu who represents helpfulness, friendliness, and skillfulness which perfectly describes the community of Patchstack Red Team.


Hackuu is a “Wapuu” who automatically posts newly disclosed security information to Twitter. Follow Hackuu here.

7700 USD paid out as bounties to Patchstack Red Team

All of the Red Team members are being rewarded for their contribution to making the web more secure.

Since the beginning, we’ve had a prize pool that is paid out every single month to the most active security researchers in the community.

The prize pool has currently reached $1500 USD per month. You can also become a member of the Patchstack Red Team by submitting new vulnerabilities to Patchstack.

PS! Until the end of the year, Patchstack runs WPBUGHUNT 2021 – a bug-hunting contest where researchers can win Burp Suite PRO licenses, Hak5 kits, PentestLab subscriptions, and more!

Full statistics and details will be made available in early 2022 in our annual WordPress Security 2021 Whitepaper. You can see last year’s WordPress Security 2020 Whitepaper here.

The latest in Patchstack News

Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.