Ship more secure code, faster

managed vdp

Security and compliance platform for open-source vendors

Comply with the European Cyber Resilience Act (CRA)

In Q4 2024, The Cyber Resilience Act (CRA) introduced obligatory software support and vulnerability disclosure guidelines for all commercial software with users in the European Union.

Patchstack solves this by acting as an expert intermediary and streamlines vulnerability disclosure for plugin and theme developers.

Learn more about CRA

CRA REQUIREMENTS

  • Vulnerability Disclosure Policy (VDP) template
  • A process to report security vulnerabilities
  • Document dependencies and libraries used
  • Share data with EU authorities
  • Notify users about vulnerability exploits
  • Provide security updates (separately) - Patchstack helps with patch validation

“We highly recommend Patchstack to other companies looking to enhance their security posture. For us, Patchstack is a true partner in our security efforts, and we're more than satisfied with their services.”

Miriam Schwab

Head of WordPress Relations

Patchstack’s managed VDP (mVDP) acts as an expert intermediary and streamlines vulnerability disclosure for plugin and theme developers.

Comparison

mVDP by Patchstack

In-house VDP

Cost

Free

Tools and staff (security analyst)

Implementation

15 minutes

Process development takes time

Compliance

Pre-built compliance with CRA, ISO/IEC 29147, GDPR in mind

Requires expertise (compliance officer) and time to research legalities

Talent

Patchstack runs the most active open-source bug bounty program and a top-tier triage team

Security researchers are difficult to attract, motivate and manage

Threat Intelligence

Continuous 24/7 processing of incoming data, along with intelligence from third-party data sources

Additional operational burden and limited due to lack of monitoring in distributed software

Quality

Fully filtered and valid reports with commentary from the triage team

High percentage of false, incomplete and meaningless “beg bounty” reports

Vulnerability processing

Patchstack is the worlds’ largest handler of vulnerability data (CNA)

Obtaining a CNA status to disclose vulnerabilities requires resources

Disclosure and handling

Patchstack manages legal complexities and coordinates disclosure via best industry practices

Higher legal risks due to lack of expertise, and additional operational burden

Take your code security to the next level and partner with the leader in open-source security

Managed VDP

Security programs

Unlimited

No CC required

Free

AI scan credits

Buy only

Streamline your disclosure process to fix security vulnerabilities faster and comply with emerging regulations.

Start a managed VDP for free

Includes

  • 1 seat
  • Vulnerability validation
  • CVE coordination
  • Patch validation
  • AXP boost +25% to motivate researchers
  • Follow CRA, ISO/IEC 29147, GDPR guidelines
  • Embeddable reporting form

Security Suite

Security programs

Unlimited

Billed monthly

$75

AI scan credits

  3/mo

Best for teams and vendors with multiple products. Security that scales with your organizational needs.

Get proactive security

Everything in Free tier, and

  • 5 seats
  • AI code review (3 credits/mo) beta
  • Patch recommendations
  • AXP boost +100% to motivate researchers
  • Access to report discussions board
  • our AI R&D is supported by
NEW

Introducing Security Suite for vendors

Managed VDP will make you compliant. Security Suite will get you ahead of the game.

AI code review (beta)

Analyze code to proactively identify potential vulnerabilities before you deploy it

Perfect for teams

Manage security for multiple plugins? Collaborate with up to 5 team members.

Advanced insights

Unlock report discussion boards and receive recommendations for patch creation

beta

Get proactive with AI code review

Manual audits tend to be expensive and bug bounty does not always guarantee attention. Our new security suite includes 3 monthly credits (about two scans) to proactively scan your code for possible vulnerabilities.

Upload code

Securely upload your codebase, receive an estimate for credit and initiate the asynchronous background scan.

Codebase analysis

Our AI agent analyzes your code for patterns, data flow and is enriched with comprehensive context from our WordPress-specific vulnerability data.

Receive a report

Receive a report with code excerpts of possible vulnerabilities, with explanations and severity indicators.

In Q1 2025, Patchstack became the all-time largest security vulnerability processor (CNA)

Statistics

Patchstack runs the most active open-source bug bounty and rewards researchers on your behalf.

Bug Bounty

Patchstack provides paid manual full project code-review for WordPress plugin and theme developers.

Auditing

What the FAQ

If you have questions, do not hesitate to reach out via mvdp@patchstack.com.

Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.
crossmenu