In this article, we will explain how to report WordPress security vulnerabilities to both Patchstack open database and manually to the vendors or the WordPress security team.
In 2020 nearly 600 unique security vulnerabilities were found in WordPress plugins, themes, and in the WordPress core combined. The majority of such vulnerabilities were found and reported by independent security researchers, developers, and WordPress security companies.
Since early 2021, Patchstack has been actively building an initiative called Patchstack Red Team – which builds a community of independent security experts who are being rewarded for identifying vulnerabilities in WordPress plugins, themes, and core.
In this article, we’ll introduce a few ways how to responsibly report WordPress security vulnerabilities.
If you’ve found a vulnerability in a WordPress plugin or a theme, the best place to report it is Patchstack. If you haven’t reported any vulnerabilities to Patchstack before, you’ll earn a $50 USD gift card for contributing to WordPress security.
Once you have reported 3 or more vulnerabilities to Patchstack, you’ll receive an invite to become a member of the Patchstack Red Team.
Patchstack Red Team is a community of security professionals who actively find security issues in WordPress and help the developers to fix them.
When reporting vulnerabilities to Patchstack, the complicated reporting process is 100% managed by Patchstack.
Reporting directly to Patchstack comes with a great list of benefits, such as:
You can always report vulnerabilities directly to the plugin/theme developer. Sometimes, it can be hard to find the right contact or get in touch with the developer.
In that case, you have to be careful that the information won’t get into the wrong hands.
Make sure to not publish the information anywhere in the public if the developer has not yet fixed the issue and once it’s fixed give some time for the users to update.
Read the WordPress security processes here.
If you’ve just stumbled upon a vulnerability and wondering how to report WordPress vulnerabilities, or if you are an active researcher contributing to WordPress security then Patchstack is the best way to be recognized and rewarded for your efforts.
Report your vulnerability via the form here: https://patchstack.com/red-team/