Updated: 1 July, 2021

WordPress Bug Hunt 2021

Agnes Talalaev
from patchstack

Over the past 2 months, Patchstack Red Team has helped to identify and fix over 400 security vulnerabilities found in WordPress plugins and themes.

We have monthly cash prizes for security researchers who report vulnerabilities to Patchstack Database (in July – it’s $1500 USD).

But… we want to show our deep appreciation for the Patchstack Red Team community and therefore we’re excited to announce the annual games of WordPress Bug Hunt!

wordpress bug hunt

Report any WordPress vulnerability to participate

While the monthly cash prize pool is paid to the active Patchstack Red Team members only – we want to expand the opportunity to win prizes for everyone.

All you need to do is report at least one valid vulnerability within a WordPress core, theme, or plugin via the form here and you’ll have a chance to be selected as a winner of WordPress Bug Hunt at the end of the year – so you have plenty of time to participate.

If you report more than 3 valid vulnerabilities, you’ll also get the invitation to the Patchstack Red Team and a chance to be part of the monthly cash prizes!

Wide range of infosec prizes

At the end of the year, anyone who has reported at least 1 vulnerability between July 1st – 30th of December will have a chance to win one of the following prizes:

  • 1 x HAK5 Essentials Field Kit
  • 2 x BurpSuite PRO annual license
  • 2 x PentesterLab PRO annual license
  • 3 x Patchstack Red Team hoodie
  • 3 x Patchstack Red Team water bottle

The winners will be announced on Friday 31st of December 3PM GMT.

Rules to keep in mind for the WordPress Bug Hunt

  • Only new vulnerabilities are accepted.
  • Vulnerabilities can’t be previously disclosed elsewhere.
  • You can increase your chances by a maximum of 3x by reporting 3 unique vulnerabilities.
  • Each winner will randomly get 1 of the prizes.
  • All vulnerabilities must be detailed and submitted through the form here: patchstack.com/red-team/

Why report new vulnerabilities to Patchstack?

All reports that have been validated will follow our responsible disclosure policy and will later be made publicly available on Patchstack Database. Credit will always go to original researchers.

Report 3 or more vulnerabilities to:
  • Get access to the Patchstack Red Team bug hunting platform that helps you with research.
  • Get an invitation to a closed Slack group where you’ll meet other security researchers.
  • Compete for a monthly cash prize pool that increases every month ($1500 in July).
  • A dedicated team will help you during the triage process.
  • Get CVE IDs for your reports directly through Patchstack (How?).

Read an interview with one of the Patchstack Red Team members, m0ze.

Share This Article
Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.