UPDATE: As of 2022, Patchstack Red Team is known as Patchstack Alliance
Patchstack Red Team is the most active bug hunting community for security researchers to earn prizes for finding new vulnerabilities in WordPress core, themes, and plugins.
Patchstack Red Team receives scores based on their findings and will get paid based on the monthly leaderboard. Who contributes the most to the security of the WordPress ecosystem will earn significant cash prizes that increase every month.
After a careful triage process, the fixed vulnerabilities will be published at Patchstack Database that is open to the public and where anybody can see the latest security vulnerabilities affecting the WordPress ecosystem.
June prize pool increased to $1500 USD
Patchstack, with the help of supporters, has put together a monthly prize pool that has been increasing month over month. For example, the total prize pool paid out for May findings was $1300 USD.
In June, the prize pool has increased to $1500 USD with the help of the following supporters (see all Red Team supporters here):
If you’re a plugin developer or a hosting company and wish to contribute to the future of a brighter, safer WordPress ecosystem – please reach out to us here!
Why report new vulnerabilities to Patchstack?
Anybody can report new vulnerabilities to Patchstack. Everybody who has reported 3 or more valid vulnerabilities to Patchstack Database will also receive an invitation to become a member of the Patchstack Red Team.
All reports that have been validated will follow our responsible disclosure policy and will be made publicly available on Patchstack Database. Credit will always go to original researchers!
List of benefits as a member:
- Get access to the Patchstack Red Team bug hunting platform that helps you with research.
- Get an invitation to a closed Slack group where you’ll meet other security researchers.
- Compete for a monthly cash prize pool that increases every month ($1500 in June).
- A dedicated team will help you during the triage process.
- And as of today – get CVE ID’s on your name directly through Patchstack.
Read an interview with one of the Patchstack Red Team members, m0ze.
292 new vulnerabilities found in May by Patchstack Red Team
Patchstack Red Team community is growing every month and the impact has become significant. While many of these vulnerabilities are disclosed at Patchstack database – a large number of them are still about to get patched by the developers. We’re working hard on that!
Here are some statistics from the vulnerabilities reported in May.
Reported vulnerability types:
- XSS – 280
- Privilege escalation – 3
- Bypass – 3
- RCE – 2
- SQL injection – 2
- CSRF – 1
- PHP object injection – 1
The most popular plugin had 5+ million installs, smallest plugin 2000 active installs. Out of all the 292 vulnerabilities, a large portion was found from “featured” plugins – if you wish to feature your plugin in front of Patchstack Red Team and help the initiative, please get a quote here.
Top 5 Patchstack Red Team members in May:
1. m0ze (1546 points) total 149 vulnerabilities;
2. Thura Moe Myint (746 points) total 101 vulnerabilities;
3. Ngo Van Thien (Sun* R&D Lab) (547 points) total 11 vulnerabilities;
4. Lenon Leite (410 points) total 20 vulnerabilities;
5. Julio Potier (186 points) total 6 vulnerabilities;
Want to join Patchstack Red Team?
Click here to join our Discord or report your first vulnerability!