The New Chapter In WordPress Bug Bounty Hunting

Published 28 December 2023
Oliver Sild
CEO at Patchstack
Table of Contents

Patchstack has been pioneering the WordPress bug bounty hunting scene for many years now. 6 years ago, we came up with an idea on how to make open-source bug bounty hunting cover even the smallest projects (regardless of whether they make money or not).

This project was later renamed to Patchstack Red Team and then to Patchstack Alliance. Over the years, we’ve built the most active ethical hacker community behind WordPress and paid over $60,000 in cash rewards.

2023 was our most successful year ever, our community has grown to 400+ members, Patchstack became a member of the OpenSSF, and we’ve become the global leader of vulnerability intelligence in the world (highest number of CVEs assigned in 2023).

After we launched the Patchstack mVDP program in early 2023 for WordPress plugin developers, we started working on the new Patchstack bug bounty program. Today, we’re excited to announce the new Patchstack bug bounty competition, the Patchstack zero-day program, and the Patchstack researcher rank.

Updated WordPress bug bounty competition

We are not going to change what already works, but we are increasing the rewards significantly. Every month, the top researcher with the highest AXP score will receive $1000 USD. The second will get $700 and the third place will get $400.

Higher severity = higher AXP score.

The top 15 researchers get paid at least $100 each month (if they have at least 1 valid vulnerability reported). We also pay $50 randomly to one researcher each month who did not get to the top 15 but still contributed to the security of the open source with a valid vulnerability report.

patchstack wordpress bug bounty

Monthly cash rewards:

1st place$1,000.00
2nd place$700.00
3rd place$400.00
4th place$300.00
5th place$250.00
6th place$200.00
7th place$200.00
8th place$200.00
9th place$200.00
10th place$200.00
11th place$100.00
12th place$100.00
13th place$100.00
14th place$100.00
15th place$100.00
random prize $50.00
Patchstack WordPress bug hunting – Monthly guaranteed prize-pool

While the monthly guaranteed prize pool almost doubles in size, we’ve removed the “special bounties” to simplify the program as they would partially overlap with our new initiative, the Patchstack zero-day program.

Introducing the Patchstack zero-day program

Ever since we launched the Patchstack mVDP for plugins, we’ve also worked on getting per-vulnerability bounties to researchers in direct partnership with plugin developers.

We’ve made it simple for plugin developers to process vulnerability reports & pay additional bounties to the ethical hackers.

To make sure more security vulnerabilities with a potential of becoming exploited as zero-days get reported ethically, we launch the Patchstack zero-day program starting from January 1st. 2024.

Patchstack is paying up to $2000 per vulnerability for exploitable & critical vulnerabilities found in any of our partners’ plugins. It’s a simple and transparent system, where the payouts are based entirely on the number of active installs the vulnerable plugin has.

Today, we have over 200 WordPress plugins on the Patchstack managed vulnerability disclosure program such as Elementor, RocketWP, Kadence, MainWP, and many, many others.

You can see the full list here: https://patchstack.com/database/vdp

Per vulnerability cash rewards:

Payouts:Unauth.Subscriber/Customer
Active installs 10,000+$100.00$50.00
Active installs 50,000+$150.00$75.00
Active installs 100,000+$300.00$150.00
Active installs 500,000+$450.00$225.00
Active installs 1,000,000+$1,000.00$750.00
Active installs 5,000,000+$2,000.00$1,500.00
Patchstack zero-day program payout system

Here are the full requirements to be eligible for a bounty:

  • The software has an active VDP listed on patchstack.com/database/vdp/
  • The vulnerability leads to a full site compromise (ability to upload & access a functional backdoor).
  • The vulnerability is exploitable with Unauthenticated(none), Subscriber, or Customer (WooCommerce) permissions.
  • The report includes a working exploit.
  • No prerequisites (default settings / most common environment / does not need any other vulnerability to be present).
  • The exploitation does not require any user interaction.

All of the vulnerabilities reported to the Patchstack zero-day program will also receive AXP (with a bonus) which will be counted for the current month’s bug bounty competition.

PS! If you’re a plugin developer, you can sign up for the program for free here: https://patchstack.com/for-plugins/

Introducing the Patchstack researcher rank

Many of the most active community members have been active in WordPress bug bounty hunting and have been staying with us for years. They have shown incredible consistency and passion for open-source security.

To make them stand out from the rest of the community, we’ve introduced a level system.

All of the AXP you earn from reports will be permanently added to your profile. After your first valid report, you will start from level 1 and can reach the maximum level of 10. We also have rewards from Level 2 – Level 10.

Each reward can be earned once you reach the new level and the total amount of rewards you can unlock is $5737 USD with additional 2 mystery box rewards at level 5 and level 10.

Rewards unlocked on each level:

RankReward
Level 2$200
Level 3$300
Level 4$400
Level 5$500 + Mystery Box
Level 6$600
Level 7$700
Level 8$800
Level 9$900
Level 10$1337 + Mystery Box
Patchstack researcher rank prizes

Building the largest open-source security community

Our vision behind the Patchstack Alliance community and WordPress bug bounty hunting is to bring ethical hackers and open-source developers together. We believe that ethical hackers who contribute security reports to open-source projects are equal contributors to developers who contribute code.

We are well aware that what makes open-source software so great is the community and people behind it, so we must do the same for open-source security.

What this community has done for the WordPress ecosystem is already historical, but it’s all just the beginning.

We have much more exciting news coming in Q1, so whether you’re an ethical hacker or an open-source developer – don’t forget to join our community in Discord: https://discord.gg/uHcsy8rgPu

The latest in Patchstack news

Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.
crossmenu