Patchstack Red Team is the most active bug hunting community for security researchers to earn prizes for finding new vulnerabilities in WordPress core, themes, and plugins.
Patchstack Red Team receives scores based on their findings and will get paid based on the monthly leaderboard. Who contributes the most to the security of the WordPress ecosystem will earn significant cash prizes that increase every month.
After a careful triage process, the fixed vulnerabilities will be published at Patchstack Database that is open to the public and where anybody can see the latest security vulnerabilities affecting the WordPress ecosystem.
Patchstack, with the help of supporters, has put together a monthly prize pool that has been increasing month over month. For example, the total prize pool paid out for May findings was $1300 USD.
In June, the prize pool has increased to $1500 USD with the help of the following supporters (see all Red Team supporters here):
If you’re a plugin developer or a hosting company and wish to contribute to the future of a brighter, safer WordPress ecosystem – please reach out to us here!
Anybody can report new vulnerabilities to Patchstack. Everybody who has reported 3 or more valid vulnerabilities to Patchstack Database will also receive an invitation to become a member of the Patchstack Red Team.
All reports that have been validated will follow our responsible disclosure policy and will be made publicly available on Patchstack Database. Credit will always go to original researchers!
Read an interview with one of the Patchstack Red Team members, m0ze.
Patchstack Red Team community is growing every month and the impact has become significant. While many of these vulnerabilities are disclosed at Patchstack database – a large number of them are still about to get patched by the developers. We’re working hard on that!
Here are some statistics from the vulnerabilities reported in May.
The most popular plugin had 5+ million installs, smallest plugin 2000 active installs. Out of all the 292 vulnerabilities, a large portion was found from “featured” plugins – if you wish to feature your plugin in front of Patchstack Red Team and help the initiative, please get a quote here.
1. m0ze (1546 points) total 149 vulnerabilities;
2. Thura Moe Myint (746 points) total 101 vulnerabilities;
3. Ngo Van Thien (Sun* R&D Lab) (547 points) total 11 vulnerabilities;
4. Lenon Leite (410 points) total 20 vulnerabilities;
5. Julio Potier (186 points) total 6 vulnerabilities;
Want to join Patchstack Red Team? Get $50 for your first finding.