Updated: June 16, 2021

Patchstack Can Now Assign CVE IDs As New CVE Numbering Authority (CNA)

Agnes Talalaev
from patchstack

We are thrilled to finally announce that as of June 2021, Patchstack has been named by the Common Vulnerabilities and Exposures (CVE®) Program as a CNA (CVE Numbering Authority).

As a CVE Numbering Authority, Patchstack is authorized to assign CVE IDs for new vulnerabilities submitted by Patchstack Red Team for WordPress Core, WordPress Plugins, WordPress Themes, and other PHP components.

Researchers who submit new vulnerabilities to Patchstack Database will be assisted by our team to validate the vulnerability, to reach out to the developer for proper fixes, and ultimately if applicable Patchstack will assign the CVE ID to the original researcher.

What is CVE?

CVE is an international, community-based effort and relies on the community to discover vulnerabilities. The vulnerabilities are discovered then assigned and published to the CVE list.

The CVE List is built by CVE Numbering Authorities (CNAs). Every CVE Record added to the list is assigned by a CVE Numbering Authority (CNA).

Partners (such as Patchstack) publish CVE Records to communicate consistent descriptions of vulnerabilities. Information technology and cybersecurity professionals use CVE Records to ensure they are discussing the same issue and to coordinate their efforts to prioritize and address the vulnerabilities.

What is Patchstack Red Team?

Patchstack Red Team is a bug hunting community of independent security researchers who help strengthen the WordPress ecosystem by looking for security vulnerabilities in WordPress core, themes, and plugins.

We believe that the WordPress ecosystem needs a strong security community that involves independent security researchers, WordPress security vendors, hosting companies, and anyone else who serves the WordPress ecosystem.

If the community comes together and shares the information and supports each other, we not only keep our customers safer but move the whole WordPress ecosystem towards a brighter, safer future!

Why report new vulnerabilities to Patchstack?

Anybody can report new vulnerabilities to Patchstack. Everybody who has reported 3 or more valid vulnerabilities to Patchstack Database will also receive an invitation to become a member of the Patchstack Red Team.

All reports that have been validated will follow our responsible disclosure policy and will be made publicly available on Patchstack Database. Credit will always go to original researchers!

List of benefits as a member of the Patchstack Red Team:
  • Get access to the Patchstack Red Team bug hunting platform that helps you with research.
  • Get an invitation to a closed Slack group where you'll meet other security researchers.
  • Compete for a monthly cash prize pool that increases every month ($1500 in June).
  • A dedicated team will help you during the triage process.
  • And as of today - get CVE ID's on your name directly through Patchstack.

Read an interview with one of the Patchstack Red Team member, m0ze.

The mission of the CVE® Program

The mission of the Common Vulnerabilities and Exposures (CVE®) Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.

There is one CVE Record for each vulnerability in the catalog. The vulnerabilities are discovered then assigned and published by organizations from around the world that have partnered with the CVE Program.

Partners publish CVE Records to communicate consistent descriptions of vulnerabilities. Information technology and cybersecurity professionals use CVE Records to ensure they are discussing the same issue and to coordinate their efforts to prioritize and address the vulnerabilities. 

Start your 7-day free trial and join 50,000+ other developers
Get Patchstack
Share This Article
30-DAY MONEY BACK GUARANTEE

Start your free 7-day trial and join 50,000+ other businesses

Get started now
crossmenu