WordPress Bug Hunt 2021

Published 1 July 2021
Updated 19 July 2023
Agnes Talalaev
SEO wizard at Patchstack
Table of Contents

Over the past 2 months, Patchstack Alliance has helped to identify and fix over 400 security vulnerabilities found in WordPress plugins and themes.

We have monthly cash prizes for security researchers who report vulnerabilities to Patchstack Database (in July - it's $1500 USD).

But... we want to show our deep appreciation for the Patchstack Alliance community and therefore we're excited to announce the annual games of WordPress Bug Hunt!

wordpress bug hunt

Report any WordPress vulnerability to participate

While the monthly cash prize pool is paid to the active Patchstack Red Team members only - we want to expand the opportunity to win prizes for everyone.

All you need to do is report at least one valid vulnerability within a WordPress core, theme, or plugin via the form here and you'll have a chance to be selected as a winner of WordPress Bug Hunt at the end of the year - so you have plenty of time to participate.

If you report a valid vulnerability, you'll also get the invitation to the Patchstack Alliance and a chance to be part of the monthly cash prizes!

Wide range of infosec prizes

At the end of the year, anyone who has reported at least 1 vulnerability between July 1st - 30th of December will have a chance to win one of the following prizes:

  • 1 x HAK5 Essentials Field Kit
  • 2 x BurpSuite PRO annual license
  • 2 x PentesterLab PRO annual license
  • 3 x Patchstack Red Team hoodie
  • 3 x Patchstack Red Team water bottle

The winners will be announced on Friday 31st of December 3PM GMT.

Rules to keep in mind for the WordPress Bug Hunt

  • Only new vulnerabilities are accepted.
  • Vulnerabilities can't be previously disclosed elsewhere.
  • You can increase your chances by a maximum of 3x by reporting 3 unique vulnerabilities.
  • Each winner will randomly get 1 of the prizes.
  • All vulnerabilities must be detailed and submitted through the form here: patchstack.com/red-team/

Why report new vulnerabilities to Patchstack?

All reports that have been validated will follow our responsible disclosure policy and will later be made publicly available on Patchstack Database. Credit will always go to original researchers.

Report a vulnerability to:
  • Get access to the Patchstack Alliance bug hunting platform that helps you with research.
  • Compete for a monthly cash prize pool that increases every month ($1500 in July).
  • A dedicated team will help you during the triage process.
  • Get CVE IDs for your reports directly through Patchstack (How?).

Read an interview with one of the Patchstack Red Team members, m0ze.

The latest in Patchstack News

Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.