In this article, we will explain how to report WordPress security vulnerabilities to both Patchstack open database and manually to the vendors or the WordPress security team.
In 2020 nearly 600 unique security vulnerabilities were found in WordPress plugins, themes, and the WordPress core combined. The majority of such vulnerabilities were found and reported by independent security researchers, developers, and WordPress security companies.
Since early 2021, Patchstack has been actively building an initiative called Patchstack Alliance – which builds a community of independent security experts who are being rewarded for identifying vulnerabilities in WordPress plugins, themes, and core.
In this article, we’ll introduce a few ways how to responsibly report WordPress security vulnerabilities.
Easiest way: Report to Patchstack (recommended)
If you’ve found a vulnerability in a WordPress plugin or a theme, the best place to report it is Patchstack.
Once you have reported a valid vulnerability to Patchstack, you’ll receive an invite to become a member of the Patchstack Alliance.
Patchstack Alliance is a community of security professionals who actively find security issues in WordPress and help the developers to fix them.
Read an interview with Patchstack Alliance member m0ze here.
Why Patchstack is the best place to report WordPress security vulnerabilities?
When reporting vulnerabilities to Patchstack, the complicated reporting process is 100% managed by Patchstack.
Reporting directly to Patchstack comes with a great list of benefits, such as:
- Patchstack will make sure your reports will get the appropriate attention from the developer.
- Patchstack will make sure you will get proper credit for your research efforts.
- Receive assistance in getting a CVE ID for your reported WordPress vulnerabilities.
- Becoming a member of the Patchstack Alliance will get you in touch with the top WordPress security professionals.
- Becoming a member of the Patchstack Alliance will get you an opportunity to earn cash prizes every month.
- Members of the Patchstack Alliance have access to a reporting platform that will make it very easy to put together new reports and to keep track of the existing report’s progress.
- Once fixed by the developers, your vulnerability reports will eventually be added to the public Patchstack Database.
Doing it manually: Reporting issues directly to the vendor or to the WordPress security team
You can always report vulnerabilities directly to the plugin/theme developer. Sometimes, it can be hard to find the right contact or get in touch with the developer.
In that case, you have to be careful that the information won’t get into the wrong hands.
Make sure to not publish the information anywhere in the public if the developer has not yet fixed the issue and once it’s fixed give some time for the users to update.
According to WordPress.org – here are the details you should send to plugins@wordpress.org if you find a new vulnerability:
- A clear and concise description of the issue;
- A link to the specific plugin;
- Whether or not you have validated the security issue yourself;
- Optional – links to any public disclosures; on 3rd party sites.
Read the WordPress security processes here.
Ready to report WordPress security vulnerabilities and get rewarded?
If you’ve just stumbled upon a vulnerability and wondering how to report WordPress vulnerabilities, or if you are an active researcher contributing to WordPress security then Patchstack is the best way to be recognized and rewarded for your efforts.
Report your vulnerability via the form here.
How to report WordPress vulnerabilities?
Reporting to Patchstack is easy. If you’ve found a vulnerability in WordPress core, plugin, or a theme, the best place to report it is Patchstack.
Once you have reported a valid vulnerability to Patchstack, you’ll receive an invite to become a member of the Patchstack Alliance.
To report the first vulnerability you should:
1. Go to: https://patchstack.com/bug-bounty/
2. Add information about the vulnerability (your name, your email, homepage, vulnerability title, and type).
3. After we have received your submission we will contact you.
What is Patchstack Alliance?
Patchstack Alliance is a community of security professionals who actively find security issues in WordPress and help the developers to fix them.
Do I get rewarded for my finds?
If you’ve just stumbled upon a vulnerability and wondering how to report WordPress vulnerabilities, or if you are an active researcher contributing to WordPress security then Patchstack is the best way to be recognized and rewarded for your efforts.
Do I get CVE ID for my reported WordPress vulnerabilities?
Yes, Patchstack has been named by the Common Vulnerabilities and Exposures (CVE®) Program as a CNA (CVE Numbering Authority).
As a CVE Numbering Authority, Patchstack is authorized to assign CVE IDs for new vulnerabilities submitted by Patchstack Alliance for WordPress Core, WordPress Plugins, WordPress Themes, and other PHP components.
Will I get proper credit for my research?
- Patchstack will make sure your reports will get the appropriate attention from the developer.
- Patchstack will make sure you will get proper credit for your research efforts.
- Receive assistance in getting a CVE ID for your reported WordPress vulnerabilities.
- Becoming a member of the Patchstack Alliance will get you in touch with the top WordPress security professionals.
- Becoming a member of the Patchstack Alliance will get you an opportunity to earn cash prizes every month.
- Members of the Patchstack Alliance have access to a reporting platform that will make it very easy to put together new reports and to keep track of the existing report’s progress.
- Once fixed by the developers, your vulnerability reports will eventually be added to the public Patchstack Database.
Can I get some other publicity when I join your Alliance?
We are interviewing Alliance members to tell their stories and how they have found their way to security research. We are also open to new cool ideas on how to give more publicity to our researchers, so if you have any ideas, let us know?