Join the global cybercrime resistance to make open-source safe

Report vulnerability

We are building the first gamified bug bounty platform which covers all WordPress plugins


Our pool for cash prizes, infosec tools and more is growing

Monthly cash payouts
2 x BurpSuite PRO annual license
2 x PentesterLab PRO annual license
Submit at least 3 vulnerabilities

Get invited to the community and receive platform access

Easily generate reports for vendors
Access to our exclusive Slack channel
Share tools, knowledge and research
Managed triage proccess

We handle reporting to vendors so you can focus on your research

Vulnerabilities get accepted faster
Get CVE's assigned in your name
Gain more time to do research

Frequently Asked Questions

Patchstack Red Team is a community of ethical hackers and developers who use our platform to research and report security issues in WordPress plugins to win monthly bounties and compete in annual competitions for grand prizes.

First off – community. We already have some of the best WordPress security talents so it might be interesting for you to join the discussions in the Red Team dedicated Slack channels.

Second thing – bounties. We paid almost 10K USD in the first six months of the Patchstack Red Team existence. In addition, we have monthly competition bounty pools and also annual grand prizes. Moreover, you will get early access to the Patchstack Red Team platform.

Other perks like triages and CVE IDs for your vulnerabilities are included. We will contact the vendors to save your time and make the patching process quicker before disclosing your research in our WordPress vulnerability database.

For now, we are "Invite Only". Submit three or more valid vulnerability reports for WordPress ecosystem components (WordPress plugins, themes, or even core) and we might send an invitation your way. We also keep an open eye for your previously discovered vulnerabilities.

Yes! Patchstack and our partners want to make WordPress and open-source safer by motivating researchers to check all WordPress ecosystem components despite their nature. Thanks to our partners, we can offer bounties for finding vulnerabilities in free as well premium WordPress components (even when the vendor does not pay bounties).

The annual competition is accessible to anyone who submits at least one vulnerability to us any time during the year. Monthly competitions are available only for Patchstack Red Team members.

Right now, we have a guaranteed bounty pool of 1500 USD per month, and it's growing.

While we do accept all vulnerability reports, we only count points (used for the bounty leaderboard) for security vulnerabilities that match the following requirements:

  1. Reported vulnerability should not require Admin, Superadmin, or another similar custom high capability role user to exploit the vulnerability successfully;
  2. CVSS 3.1 Base Score for reported vulnerability should be at least 4.0 (CVSS 3.1);
  3. Person has reported more than three vulnerabilities that pass requirements per month.

Vulnerabilities that are still valid but don't pass the requirements for bounties will be triaged, receive a CVE and will be counted for annual WP BUG HUNT prizes. More information is available in the Patchstack Red Team rules.

Our bounty pool is split into fixed bounties. All researchers who provide at least three valid vulnerability reports per month share a small part of the bounty pool and the TOP 3 receive more significant bounties. Right now, we have a guaranteed bounty pool of 1500 USD per month, and it's growing.

A combination of different parameters is used to calculate points. The two main parameters are the active install count of the reported component and the impact of the reported vulnerability (CVSS 3.1 base score). At the end of each month, points are summed up for each researcher meeting the previously mentioned requirements to establish a leaderboard.

For now, we only support PayPal payments with more alternatives coming soon. We cover all payout (PayPal) fees so you receive the exact amount promised. We are not responsible for other fees such as withdrawal or local taxes.

Your pledge will go towards further developing the platform and supporting the community prize pool. To find out more – get in touch!

Are you a plugin developer?

Receive regular audits after every update
Receive a Patchstack trust badge


Report +2 more vulnerabilities
Receive a Red Team invitation
For Hostings & Enterprises

Keep your customers safe with our Threat Intel Feed (API)

Schedule call






Image Photo Gallery Final Tiles Grid

Stored CrossSite Scripting (XSS) vulnerability




<= 3.5.2


The Buffer Button

Authenticated Stored CrossSite Scripting (XSS) vulnerability




<= 1.0


Translation Exchange

Authenticated Stored CrossSite Scripting (XSS) vulnerability




<= 1.0.14


Five Star Business Profile and Schema

Page creation and settings update leading to stored XSS vulnerability




<= 2.1.5


Leading the resistance