Developer

WebFactory Ltd

Current version

4.15

Installations

1,000,000

Last updated

1 month ago

Vulnerability disclosure program

21 November, 2023

This is the official vulnerability disclosure program for Maintenance. If you're a security researcher and believe that you have found a security vulnerability within our software, please send us details through the "report" form on this page. Please include as detailed information as possible, so we could verify the issue and get back to you as soon as possible with either additional questions or with a potential fix. All valid security vulnerabilities will receive a CVE and may also earn you rewards from Patchstack Alliance bug bounty program.

Plugin developer? Start a Managed Vulnerability Disclosure Program.

Free for all

Patchstack Zeroday payouts

See full terms

Patchstack pays a fixed bounty for high value vulnerabilities.

$4,800 Unauthenticated access leading to a full site compromise

$2,400 Subscriber or Customer level access leading to a full site compromise

Report for monthly rewards

To leaderboard

Members of the Bug Bounty program receive XP for their reports and are eligible for monthly cash rewards.

$1,000 Top ranking contributor

$700 Contributor ranking 2nd

$400 Contributor ranking 3rd

$300 Contributor ranking 4th

$250 Contributor ranking 5th

$200 Contributors ranking 6th to 10th

$100 Contributors ranking 11th to 15th

$50 One lucky pick

No active bounties by the developer

Eligibility and responsibility

We would like to thank everyone who submits valid reports that help us improve the security of Maintenance. However, only those that meet the following eligibility requirements may receive a monetary reward for vulnerabilities found in the Maintenance source code.

You must be the first reporter of a vulnerability.

The vulnerability must be a qualifying vulnerability (see below).

Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through patchstack.com.

You must avoid tests that could cause degradation or interruption of our service (refrain from using automated tools, and limit your requests per second). If you over do it, your IP address might be throttled or even (temporarily) blocked to protect our infrastructure. See how.

Reports on vulnerabilities are examined by our security analysts - our analysis is always based on worst case exploitation & the business criticality of the vulnerability, as is the reward we pay.

Qualifying vulnerabilities

SQL Injection

Cross Site Scripting (XSS)

Remote/Local File Inclusion

Cross-Site Request Forgery (CSRF)

Open Redirection

Bypass Vulnerability

Broken Access Control

Privilege Escalation

Arbitrary File Read/Download/Upload/Deletion

Sensitive Data Exposure

Arbitrary/Remote Code Execution

Server Side Request Forgery (SSRF)

Denial of Service

PHP Object Injection

Deserialization of untrusted data

Insecure Direct Object References (IDOR)

CSV Injection

Broken Authentication

Path Traversal

Race Condition

Non-qualifying vulnerabilities

Cross-Site Request Forgery (CSRF) on read-only actions

Pre-requisite of another vulnerability

Pre-requisite of specific or unusual conditions

Vulnerabilities that requires exotic server configurations or outdated server software

Missing encryption/hashing on potential sensitive information

Spoofing of data (User Agent, IP address, etc.) with no serious security impact

Report and compete for monthly rewards

To leaderboard

Members of the Patchstack Bug Bounty program are ellegible for monthly cash rewards.

Top contributor $650
2nd contributor $350
3rd contributor $250
Monthly contributors ranking 4th to 10th receive
$75
Monthly contributors ranking 11th to 15th receive
$50
One lucky researcher receives*
$50

Additional bounties can be paid out to Patchstack Bug Bounty members for findings that are beneficial to the community, particularly interesting or hard to find. Please read our full guidelines and terms before reporting.

Additional rewards by Patchstack

Vulnerability with the highest installation count* $100
Vulnerability that affects most (more than one) plugins* $100
Vulnerability with the highest CVSS (3.1) severity* $100
Additional bounties for achievements that are beneficial to the community or particularly interesting* $100

Security researcher? Report to Patchstack Bug Bounty to earn bounties and rewards!

Learn more

Known vulnerabilities

0 present
1 fixed
View on database
All active programs All active programs
Mobile Menu

Let us know if we have missed a vulnerability reported elsewhere

Mobile Menu Close

Thank you for contributing!

Close Mobile Menu