We are thrilled to finally announce that as of June 2021, Patchstack has been named by the Common Vulnerabilities and Exposures (CVE®) Program as a CNA (CVE Numbering Authority).
As a CVE Numbering Authority, Patchstack is authorized to assign CVE IDs for new vulnerabilities submitted by Patchstack Alliance for WordPress Core, WordPress Plugins, WordPress Themes, and other PHP components.
Researchers who submit new vulnerabilities to Patchstack Database will be assisted by our team to validate the vulnerability, to reach out to the developer for proper fixes, and ultimately if applicable Patchstack will assign the CVE ID to the original researcher.
What is CVE?
CVE is an international, community-based effort and relies on the community to discover vulnerabilities. The vulnerabilities are discovered then assigned and published to the CVE list.
The CVE List is built by CVE Numbering Authorities (CNAs). Every CVE Record added to the list is assigned by a CVE Numbering Authority (CNA).
Partners (such as Patchstack) publish CVE Records to communicate consistent descriptions of vulnerabilities. Information technology and cybersecurity professionals use CVE Records to ensure they are discussing the same issue and to coordinate their efforts to prioritize and address the vulnerabilities.
What is Patchstack Alliance?
Patchstack Alliance is a bug hunting community of independent security researchers who help strengthen the WordPress ecosystem by looking for security vulnerabilities in WordPress core, themes, and plugins.
We believe that the WordPress ecosystem needs a strong security community that involves independent security researchers, WordPress security vendors, hosting companies, and anyone else who serves the WordPress ecosystem.
If the community comes together and shares the information and supports each other, we not only keep our customers safer but move the whole WordPress ecosystem towards a brighter, safer future!
Why report new vulnerabilities to Patchstack?
Anybody can report new vulnerabilities to Patchstack. Everybody who has reported valid vulnerabilities to Patchstack Database will also receive an invitation to become a member of the Patchstack Alliance.
All reports that have been validated will follow our responsible disclosure policy and will be made publicly available on Patchstack Database. Credit will always go to original researchers!
List of benefits as a member of the Patchstack Alliance:
- Get access to the Patchstack Alliance bug hunting platform that helps you with research.
- Join Patchstack Alliance Discord channel where you’ll meet other security researchers.
- Compete for a monthly cash prize pool ($1500 in June).
- A dedicated team will help you during the triage process.
- And as of today – get CVE ID’s on your name directly through Patchstack.
Read an interview with one of the Patchstack Alliance member, m0ze.
The mission of the CVE® Program
The mission of the Common Vulnerabilities and Exposures (CVE®) Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.
There is one CVE Record for each vulnerability in the catalog. The vulnerabilities are discovered then assigned and published by organizations from around the world that have partnered with the CVE Program.
Partners publish CVE Records to communicate consistent descriptions of vulnerabilities. Information technology and cybersecurity professionals use CVE Records to ensure they are discussing the same issue and to coordinate their efforts to prioritize and address the vulnerabilities.