Earn cash bounties for reporting vulnerabilities in WordPress software

Zeroday bounties up to

$14,400
Receive payouts for reporting high-impact vulnerabilities
See terms
Expand rewards
Rewards
Installs
5M+
1M+
500K+
100K+
50K+
10K+
5K+
Subs./Customer.
$7,200
$3,600
$1,800
$900
$450
$225
$75
Unauth.
$14,400
$7,200
$3,600
$1,800
$900
$450
$150

Monthly TOP prize pool

$8,800
Guaranteed in monthly payouts to TOP20 + one lucky ethical hacker
Go to leaderboard
Expand rewards
Rewards
🥇 1st
🥈 2nd
🥉 3rd
4th
5th
6-10th
11-15th
16-19th
20th
Random pick
$2,000
$1,400
$800
$600
$500
$400
$200
$100
$50
$50

Level up to earn

$5,737
Accumulate XP to level up and earn passive rewards
How to earn XP
Expand rewards
Rewards
Lvl 10
Lvl 9
Lvl 8
Lvl 7
Lvl 6
Lvl 5
Lvl 4
Lvl 3
Lvl 2
🎁 $1337
$900
$800
$700
$600
🎁 $500
$400
$300
$200
Expand all rewards
Patchstack is the official security point of contact for 180+ plugins

Patchstack handles reporting to vendors so you can focus on research

We handle disclosure with vendors
Get the CVE's assigned in your name
A public profile to build reputation

The fastest growing open-source security community on Discord

Our community of experts were the #1 largest security contributors to the open-source ecosystem in 2023. Connect with and learn from fellow ethical hackers.
Join Discord

How to become a member?

1
Join the Alliance Discord and read the submission & payout terms
2
Report a vulnerability in WordPress (reports in some plugins earn extra XP)
3
Once verified, the CVE is published in your name and on your public profile
4
Compete for monthly bounties or earn passively by growing your level

What the FAQ?

Indeed, Patchstack is paying bounties for vulnerabilities even if the software vendors have no means to fund it. We finance the bounty program from our core business to give back to the community.

XP points are calculated by combining parameters like CVSS score, active installation (sales if premium) count, and prerequisite (authentication/authorization) needed to carry out an attack. No points are given if the reported component has less than 1000 active installs (sales if premium) or requires an admin/super-admin role as a prerequisite. However, these reports will still receive a CVE ID for the submitter.

For now, we only support PayPal payments. Patchstack covers all payout (PayPal) fees, so you receive the full amount exactly as promised. However, we are not responsible for other fees such as withdrawal or local taxes. Each researcher is responsible for administrating their local taxes related to the bounty payouts.

Everyone can join Patchstack’s Bug Bounty program as long as they are committed to making the WordPress ecosystem safer. By submitting at least one valid vulnerability report that meets Patchstack’s Bug Bounty program vulnerability report submission requirements, you become a member of Patchstack’s Bug Bounty program.

Patchstack’s Bug Bounty program is an open community of cyber security researchers, developers, pentesters, and bug bounty hunters who research and report security issues in WordPress plugins to win monthly bounties, special competitions, and seasons. Our reporting process and validation triage fast-track security patch creation for vendors, saving you time to do more research.

We already have some of the best WordPress security talents on our dedicated Discord channel, and our community was the world’s largest contributor of open-source vulnerability disclosures in 2023, surpassing even the GitHub community.

If you have questions, join our Discord and ask the staff.

We’ve paid $60K+ in bounties. Start earning for your security research today!

Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.
crossmenu