Start trial

Menu

Patchstack
Hero Whitepaper

Vulnerability Disclosure Policy

This protocol outlines how security researchers, customers, partners, and anyone who interacts with Patchstack products can responsibly report security vulnerabilities.

Scope

This responsible disclosure program covers security vulnerabilities in:

  • Patchstack’s website and web applications
  • Patchstack’s WordPress plugin
  • Patchstack’s APIs and infrastructure
  • Any Patchstack-owned digital assets

Note: This program is for reporting vulnerabilities in Patchstack’s own products and services. For reporting vulnerabilities in WordPress plugins covered by our bug bounty program, please visit patchstack.com/bug-bounty.

How to Report a Vulnerability

If you believe you’ve discovered a security vulnerability in Patchstack’s products or infrastructure, please report it to us using one of the following methods:

Email (Preferred)

report-vulnerability@patchstack.com

Vulnerability Disclosure Form

Submit a report through our VDP portal: vdp.patchstack.com

What to Include in Your Report

To help us understand and address the issue quickly, please include:

  • Clear description of the vulnerability
  • Steps to reproduce the issue
  • Proof of concept (PoC) or screenshots, if applicable
  • Impact assessment – what could an attacker achieve?
  • Your contact information (optional – anonymous reports are accepted)

Our Commitment to You

When you report a vulnerability to us in good faith, we promise:

  • No legal action – We will not pursue legal action against good faith security research
  • Quick acknowledgment – We will acknowledge receipt of your report promptly
  • Regular updates – We will keep you informed throughout the remediation process (unless you prefer to remain anonymous)
  • Fair treatment – We treat all security researchers with respect and professionalism
  • Public credit – We will credit you for your discovery if you wish, once the issue is resolved and public disclosure is mutually agreed upon

Safe Harbor

We consider security research conducted under this policy to be:

  • Authorized in accordance with relevant laws
  • Conducted in good faith
  • Lawful and exempt from legal action

To qualify for safe harbor protections, researchers must:

  • Make a good faith effort to avoid privacy violations, data destruction, and service disruption
  • Only access data necessary to demonstrate the vulnerability
  • Not modify or delete any data
  • Not perform actions that could degrade system availability or performance
  • Not use social engineering tactics against Patchstack employees or customers
  • Not publicly disclose the vulnerability before it has been resolved

Rewards

Rewards, if offered, are determined solely by Patchstack based on:

  • The severity of the vulnerability (CVSS score)
  • The quality and clarity of the report
  • The impact on our users and systems

Please note that attempts to pressure, negotiate, or demand bounty payments may result in disqualification from reward consideration.

Coordinated Disclosure

We believe in coordinated disclosure. Once a vulnerability is fixed and no longer poses a risk to our users, we may work with you to publicly disclose the details.

Public disclosure will only occur when:

  • The vulnerability has been fully remediated
  • All affected users have been protected
  • Both parties agree on the disclosure timeline and content
  • Disclosure will not create additional harm

Out of Scope

The following are generally considered out of scope:

  • Issues in third-party applications or websites not owned by Patchstack
  • Social engineering attacks
  • Physical attacks against Patchstack offices or data centers
  • Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks
  • Spam or social engineering content
  • Reports from automated tools without validation
  • Issues that require unlikely user interaction
  • Recently disclosed 0-day vulnerabilities (please give us time to patch)
  • Excessive data collection, storing and distribution
  • Technical issues without measurable security impact – theoretical vulnerabilities that are impossible to exploit in real life conditions
  • Vulnerabilities that would be valid only on a different environment than the one used by Patchstack for certain systems/services

Response Timeline

Our typical response timeline:

  • Initial response: Within 2 business days
  • Triage and validation: Within 5 business days
  • Resolution timeline: Varies based on severity, following our internal SLAs

Questions?

If you have questions about this program, the scope, or whether a particular action would be considered good faith research, please contact us at report-vulnerability@patchstack.com.

Thank you for helping us keep Patchstack and our users secure.