He's also on the Patchstack Alliance all-time researcher podium with over 630 contributions.

Why did you end up in security? Was this your plan all along or was it an accident?

I ended up in the field of IT security because it was a logical continuation of my computer training. I started playing around with computers at the age of 10-11 and at first, I was scared because at the time I had a horrible technology teacher who made nasty remarks so at every computer session I purposely forgot my login details!

Then I gained confidence and at the age of 13, I started to create my own game server, which enabled me to learn SQL, Java, PHP, RDP, and how web servers work. I was able to earn around €500, which enabled me to buy a more powerful PC (4GB RAM).

After that, I always dabbled a bit in IT but never professionally, and then in 2018 I decided to start studying IT (I was originally studying health & sports), so I gradually progressed in areas such as networking, Linux, and Windows. Later I discovered the Root-Me site which allowed me to start getting a foothold in the world of FTC and then TryHackMe which is a great learning site.

So I don't think it was a predefined goal to work in security, for me it was a logical progression given that I'm very curious and I like to know how things work.

What tips would you give a person interested in ethical hacking?

For me, it's essential to have solid IT basics. I've known a lot of people who wanted to get into cybersecurity without having a basic understanding of IT, and I don't think that's going to work.

So my advice is to get a minimum level in networking, systems (Windows and Linux), and programming to be able to script (Python, Bash), and have a global vision of how the Internet works (DNS, IP, DHCP, etc.).

Once you've got this down, you can move on to learning sites, and I recommend sites like Root-me, and TryHackMe (especially this one, as I think it's the best learning site).

I'd also advise you to put your ego aside, never rest on your laurels, and always be on the lookout for new things, as the field is constantly evolving.

How do you find vulnerabilities? Do you have some proven practices? Do you hunt for a specific type of vulnerability or not?

At the very beginning of my research adventure I was mostly black-boxing, taking plugins at random or by theme, but over time I moved towards white-boxing. My process is to analyze the source code of plugins, focusing on dangerous patterns/functions that I know, I analyze each plugin by hand and I also test it by hand, and I do very little automation.

I'm mainly looking for Broken Access Control & Privilege Escalation.

What makes Patchstack’s bounty program different from the rest?

The community makes Patchstack different from other traditional Bug Bounty sites, the fact that there are events by theme is really good too, and the VDP interface is great for managing your submissions. But above all, the responsiveness of the team, particularly when it comes to validating vulnerabilities, the process is very fast and very fluid.

I'd also add the fact that there's a lot of sharing, especially of articles on the blog and shares on the Discord channel.

Is there a vulnerability you found that you are most proud of? How did you find it and why do you consider it so special?

Given that I've found a lot of vulnerabilities (almost 700 in total), I don't have any that stand out (it's hard to remember them all 😂), but my favorites are Unauthenticated vulnerabilities, especially RCE Unauthenticated and Privilege Escalation Unauthenticated.

If you had unlimited power and could change one thing in WordPress’ security - what would it be and why?

For my part, I find the WordPress core to be relatively secure, and for me, the problem lies in the way security is implemented by the devs.

I think we need to raise awareness among the actors in this field, and on the technical side, I think we might need to review the critical endpoints on the AJAX side, which can lead to quite a few vulnerabilities.

How have your hacker skills and mindset come in handy elsewhere?

I think the Hacker mindset is useful in almost every task in life, the most important thing is to put yourself in the shoes of the person in front of you and try to understand why things are done in a certain way, I've already adopted a Hacker mindset to make things in life easier.

You can connect with Mika on:

• Blog
• Linkedin
• Twitter

The post Interview with Kévin Mosbahi AKA Mika appeared first on Patchstack.

Tell us a bit about LiteSpeed Cache. How does it differ from other caching plugins?

The LiteSpeed Cache plugin started as a way to connect WordPress sites with LiteSpeed's server-side page cache. After v1.14, we started to gradually introduce other types of optimization features that are important for WordPress visitor experience: page optimization, image optimization, database optimization, in-memory cache (Redis/Memcached), browser cache, and CDN support for example.

Also, LiteSpeed Cache provides ESI (Edge Side Includes) support, which allows a user to punch holes in a cached page, and cache certain parts differently. This is great for personalized content like shopping carts.

I believe each plugin has its own advantages and target audience. For example, WP Rocket has good features and user-friendliness. On the LiteSpeed side, our server-side cache has an advantage over other plugins' application-level cache: it is built into LiteSpeed servers. It's similar to the way Apache works with Varnish cache, except with LiteSpeed it's all built-in, and no proxy is required. Server-level cache is faster than rewrite-rule-based cache can ever be.

We aim for simple, good-quality code. That can mean more time in development, but it brings us a lower cost and easier maintenance.

Why do you think it got so popular?

I don't have a clue, we never advertise. Just kidding of course 🙂

The truth is, there are several reasons:

• We listen to user feedback and add requested features
• We keep new releases coming fast
• Potential users test it and can feel the difference right away
• Word of mouth

Lately, there have been a few rather severe vulnerabilities found in the plugin. Why did they happen and what did you learn from them?

No matter how careful we try to be, and how much we consider the implications of all of our code, accidents and unforeseen situations can happen in the wild, especially as a project grows. With care, we can keep the impacts of any exploits to a minimum.

We've learned that attackers will take advantage of any minor unconsidered conditions that they can, so we need to keep an eye out for those situations.

In general, the impacts of most of the recent vulnerabilities have been minor, or have been simple to mitigate, because security is an important concern for us from the start. We test a lot before publishing any releases.

On the bright side, you handled them swiftly (one fix was ready the same day it got reported) and were transparent about what happened. Please share some information about your security-related procedures and how they changed lately.

The security reports provided by Patchstack are professionally written and make it easy for us to locate the problem. Our in-house developers write and maintain the plugin codebase. As a team, we understand the code thoroughly. We have a number of dedicated server environments for testing. So, we can be quick to act, quick to test, quick to release a patch, and quick to announce it to our users.

Other than plugin-side fixes, we can release patches for LiteSpeed Web Server to protect even those sites that are running old versions of the plugin.

Do you have any security tips for plugin developers?

• Dry run before wet run. In the development stage, I require my team and myself to dry-run the code. This means we make sure we fully understand and control our code. We imagine and account for as many possible test cases as we can before we rush into testing.
• Stay calm in an emergency. Find the most efficient way to minimize the impact. For us, this goes beyond just the plugin development team, and it means informing our partners, patching the web server code to block further hacking attempts, updating our control panel plugins to allow hosting companies to mass update the plugin, and announcing it in our social channels.
• Keep communication with users transparent and open.
• Keep learning new things. Learn the lesson that every vulnerability teaches, and apply it to future work.
• Take ownership of the product, and treat users well. While our goal is to facilitate faster websites for our users, at the same time it can be really rewarding on a personal level. During the process, we build trust with our users, improve our own mindsets, and become better selves. I think the humanity of it all is important, and it impacts everything else, including security.

How do you feel about Patchstack’s mVDP? Do you think it’s valuable for plugin vendors?

Patchstack mVDP is a smart idea and a useful service. It allows plugins to enhance their security and provide a patch at the earliest possible time. I am glad to see that many other researchers have researched our codebase so deeply!

If you had unlimited power to change regarding WordPress` security - what would it be?

Add an AI model to the WP forum that reviews all plugin code and automatically provides improvement suggestions to all plugins. 😆

You can connect with Hai on LinkedIn.

The post Handling plugin security: Interview with LiteSpeed Cache's Hai Zheng appeared first on Patchstack.

Since the program's introduction in 2021, we have paid more than $80k+ in bounties. The program has evolved through many steps, starting with polishing the rules and making the competition between all researchers fair and open. With each upgrade, we have tried to make our WordPress Bug Bounty program more friendly, accessible to anyone, and generous to all deserving.

We always tried to put an accent on the community, and it paid off well. The Bug Bounty program was a trigger that gathered many people, like security researchers and developers to the Patchstack Alliance community, which is the backbone of the WordPress Bug Bounty program and is open to anyone on the Patchstack Alliance Discord server. Seeing so many people discussing, sharing information, and researching to make open-source software safer is a vision we always had on our minds.

We see that the Bug Bounty program has grown out of its former frame and needs another upgrade - and we are glad to announce that the Patchstack Bug Bounty program gets its most significant upgrade since its release in 2021!

Monthly competition and bounties

We have great news for all researchers competing in the monthly Bug Bounty program competitions. We thought what could be good enough to say that we really appreciate your input into WordPress security - and we got the idea! Monthly competition bounties will now be twice as big - double (2x). Also, we are introducing extra positions. From now on, the monthly competition will be for TOP 20 (instead of TOP 15). Oh, to mention, we have a guaranteed bounty pool of $8,800 for monthly competitions (the previous was $4,250).

Zeroday program bounties

Patchstack Bug Bounty program researchers worldwide proved that they can find non-ordinary vulnerabilities that pose the highest risk to vulnerable software users and are exploitable due to their specific nature. Zeroday (0day) vulnerabilities are something special that we try to catch up on time and protect software users and website visitors from any malicious impact. To show how important it is for us and the WordPress ecosystem, we decided to increase the bounties we give for the Zeroday program, which is now up to $14,400 per valid report.

Also, we are introducing lower-range bounties for components with lower active install count. We will accept reports for the Zeroday program even if the vulnerable component has 5000+ active installations. And now, the fun part. These are the new bounties for the Zeroday program:

Let's celebrate!

Yes, let's celebrate because why not? You remember those special events we had before and how intense the competition was. Let's play again! Last time, we were looking for Cross-Site Scripting (XSS) vulnerabilities, but this time, let's hunt for SQL Injection (SQLi) vulnerabilities.

Let's call this special event "Back to SQL" because many researchers will soon return to their schools and universities at the beginning of September, so why not have some fun before that?

Rules are simple

• Time – from 1 August 2024 (00:00:01 UTC) to 31 August 2024 (23:59:59 UTC).
• Scope – SQLi vulnerabilities with severity not lower than 8.0 (excluding vulnerabilities requiring superadmin, admin, or any custom high privilege role) in components with 10K or more active installs with the last update not over three years old.
• Bounties: AXP x2 (will be counted for the monthly competition) + bounty per vulnerability if CVSS 8.x – $75, CVSS 9.X – $100, CVSS 10 – $150.
• For other rules check the WordPress Bug Bounty program guides and rules.

What's next?

The biggest change coming soon is self-managed profiles for researchers. We are upgrading the way researchers can manage their profiles and see all their stats and reports. More surprises are coming, so stay in touch to get the latest news right away.

More information

Official announcements and program updates are disseminated via the Patchstack Alliance Discord server and official Patchstack social media channels at Patchstack Alliance Discord Server. If you need additional information, you can use a support ticket on the Patchstack Alliance Discord to ask for help.

Twitter(X) https://twitter.com/patchstackapp
Facebook https://www.facebook.com/patchstackapp
LinkedIn https://www.linkedin.com/company/patchtsack

The post Biggest WordPress Bug Bounty program upgrade is here! appeared first on Patchstack.

Events

We have four full competition weeks in December, each dedicated to particular vulnerabilities.

🏁 Week #1 - December 4-10, 2023 (finished!)

The first week is an easy one - warm up before getting serious. In the first week, you will compete by reporting Broken Access Control and Cross-Site Request Forgery (CSRF) vulnerabilities.

Week 1 results

🥇 Mika - 115,40 AXP ($300 bounty)
🥈 Le Ngoc Anh - 67,45 AXP ($200 bounty)
🥉 Friday - 32,75 AXP ($100 bounty)
🎖️ Yudistira Arya - 16,90 AXP
🎖️ Joshua Chan - 16,40 AXP

🏁 Week #2 - December 11-17, 2023 (finished!)

The second week will get more serious as you will compete by reporting Cross-Site Scripting (XSS) and Sensitive Data Exposure vulnerabilities.

Week 2 results

🥇 Le Ngoc Anh - 252,05 AXP ($300 bounty)
🥈 Ngô Thiên An (ancorn_ from VNPT-VCI) - 214,7 AXP ($200 bounty)
🥉 Joshua Chan - 78,2 AXP ($100 bounty)
🎖️ Yudistira Arya - 42,6 AXP
🎖️ Dhabaleshwar Das - 14,2 AXP
🎖️ Dimas Maulana - 14,2 AXP
🎖️ Mika - 13,99 AXP
🎖️ Bryan Satyamulya - 8,85 AXP

🏁 Week #3 - December 18-24, 2023 (finished!)

On the third week of December, you can show your skills by reporting SQL Injection (SQLi), Open Redirection, and Broken Authentication/Bypass vulnerabilities.

Week 3 results

🥇 Le Ngoc Anh - 69,13 AXP ($300 bounty)
🥈 Yudistira Arya - 59,77 AXP ($200 bounty)
🥉 Joshua Chan - 27,9 AXP ($100 bounty)
🎖️ Ngô Thiên An (ancorn_ from VNPT-VCI) - 9,56 AXP

🏁 Week #4 - December 25-31, 2023 (finished!)

In the year's final week, you'll compete with other elite researchers in finding Remote Code Execution (RCE), PHP Object Injection, Arbitrary File (upload/download/deletion), and Privilege Escalation vulnerabilities.

Week 4 results

🥇 Yudistira Arya - 149,80 AXP ($300 bounty)
🥈 Ngô Thiên An (ancorn_ from VNPT-VCI) - 75,45 AXP ($200 bounty)
🥉 Le Ngoc Anh - 38,65 AXP ($100 bounty)

🏁 Monthly competition - December (finished!)

The great news is that monthly competition will also happen, and all points from weekly events will be counted in your monthly point pool. It means you can participate in five events in December.

Results

• December scoreboard
• December results with bounties and extra details

Bounties?

Yes, we have them. Each week, we will give bounties to TOP 3 researchers. 1st place is $300, 2nd place is $200, and 3rd place is $100 - meaning the weekly bounty pool is $600. Plus, at the end of December, we will count the points for the monthly results, and TOP 15 + 1 researchers will split up an additional $2450. It means that the overall December bounty pool is $4850!

Rules!

• Patchstack Alliance standard rules apply to these events. Please read the rules carefully. Please report particular vulnerability types on specific weeks to compete in dedicated week events.
• Yes, you will get extra AXP points for boosted products from Patchstack mVDP program, you can check the list of boosted products here - Extra points!
• We will create public profiles for all new researchers who will submit valid reports. Each public profile will include information about your results, also it will have your Twitter, GitHub, Linked, your personal and social links. Also we accept "BuyMeACoffee" links on the profiles and on database entries for vulnerabilities you have discovered.
• December results will be visible on this leaderboard. Weekly results will be announced by updating this article, on Patchstack Twitter account and on Patchstack Alliance Discord server.
• All valid reports will get their CVE IDs. Even if your report does not get any points (like admin+ vulnerabilities), you'll still get the CVE ID if the report is valid.
• If you have any questions, create a ticket on the Patchstack Alliance Discord server or dm to [email protected].

The post Patchstack Alliance Bounty Program Events for December appeared first on Patchstack.

Let's start with the things we will hunt for this season - themes, page builders, and their extensions. All reports that will be related to themes, page builders, or their extensions will get a +15% XP boost!

Why boost? Because this season is integrated into the monthly competitions, it's not separate. So all reports are acceptable, but the ones for themes, page builders, or extensions are getting more points.

Higher bounties

With this season, we have increased the monthly bounty pool from 1900 USD to 2425 USD. It means the main pool is now 2025 USD, and there are 400 USD reserved for the special bounties (see the rules for more information about them).

We are also increasing the bounties for the top 10 researchers:

• The first-place winner will get 650 USD
• Second place 350 USD
• Third place 250 USD
• Fourth to tenth places will be awarded 75 USD bounties.
• Eleventh to the fifteenth position will earn 50 USD.

Get rewarded by the public

Patchstack database is powering security scans for nearly 5 million WordPress sites already. If a user gets alerted by a vulnerability you found, we want to give them an opportunity to say thanks to you as well (so look for vulnerabilities in plugins that have high installation counts).

We are introducing the personal BuyMeACoffee buttons that will be visible on the following:

• On your Alliance member profile page.
• On the report pages that we are sending to the vendors to let them know about the vulnerability you have found.
• On the database entries with the vulnerabilities, you have reported to the Alliance.

This will give vendors and the community a clear way to thank you for your research. Just remember to create an account on BuyMeACoffee and provide us with your link so we can assign it to your Alliance profile.

More gamification

Oh, and that's not the end. We want to spice up your competition. You will be able to see your positions on the leaderboard, but the scores will be hidden until the end of the month. So you will play with "hidden cards," making it harder to understand how many points separate you from the other researcher above in the leaderboard.

Just keep an eye on the leaderboard, because you’ll never know when someone might take over your position!

Join the Alliance

Patchstack Alliance is a community of ethical hackers who contribute into making the entire web more secure. It’s a great place to learn new skills, make friends and create a portfolio of your security research.

If you're a security researcher, you can join our Patchstack Alliance program here to report vulnerabilities and earn rewards. You can also join our Discord channel.

The post Announcing Patchstack Alliance Season 1 - New Bug Hunt Challenge and Rewards appeared first on Patchstack.

Our researchers found 53 confirmed vulnerabilities. 9 of the vulnerabilities were found in plugins with 100,000+ installs across WordPress, including one with 2 million installs. Thought to be fair, that vulnerability in question was not particularly severe.

A couple of vulnerabilities picked up did, however, have a CVSS score over 9.0.

Leaderboard and winners

September bug hunt winners are below:

Congrats to Lana Codes for turning up the heat, and nabbing the top spot this month!

A shoutout to L.Ayotte & T.Jacobs, who are not part of the Alliance but who did report a vulnerability in their own product - we salute you.

How are points awarded?

The score we use to see who gets what prize is made up of several factors, including the popularity of the plugin and the severity of the vulnerability.

For example, a vulnerability with a CVSS score of 6 in a plugin with 1,000,000 installs will give more points than a very critical vulnerability in a plugin with only 1,000 installs.

All reports are important, though, and help make the web more secure! On this note, we want to say thanks to all researchers who submitted vulnerability reports last month!

If you want to compete in the bug hunt and contribute to making WordPress safer, you can join the Patchstack Alliance here.

What is Patchstack Alliance?

Patchstack Alliance is a community of ethical hackers and researchers who support the open web by finding and reporting vulnerabilities in WordPress plugins and themes.

All valid vulnerabilities are also publicly available in our vulnerability database.

The post Patchstack Alliance September Winners & Leaderboard appeared first on Patchstack.

A very busy august

The Patchstack Alliance reported 105 new validated vulnerabilities last month. This doesn't mean that WordPress plugin developers have gotten lazy or careless over the summer - we've just had new people join in on the bug hunt and thus we're casting a wider net.

Oh, and a big "Welcome!" to our new researchers - and a big "thank you" for helping make WordPress safer. Happy to have you aboard!

As for stats, the most popular plugin with a reported vulnerability had more than a million installs. The highest CVSS score reported by our researchers was 9.9 out of 10, indicating critical severity.

We'll add that we also picked up a lot of less critical vulnerabilities in smaller plugins that didn't have many installs. A lot of these were abandoned plugins though, so helping the community find and get rid of those plugins is very important. If you want to know why it's important not to use abandoned plugins, then Robert has a great article about it on our blog.

Leaderboard and winners

August bug hunt winners are below:

How do we award points?

Eagle-eyed readers may notice that the number of vulnerabilities reported by an individual doesn't seem to have an impact on the total score. That's because the score we use to see who gets what prize is made up of several factors, including the popularity of the plugin and the severity of the vulnerability.

So for example, a vulnerability with a CVSS score of 6 in a plugin with 1,000,000 installs will give more points than a very critical vulnerability in a plugin with only 1,000 installs.

But in any case, we want to say thanks to all researchers who submitted vulnerability reports last month, we were excited to see such active contributions last month!

If you want to compete in the bug hunt and contribute to making WordPress safer, you can join the Patchstack Alliance here.

What is Patchstack Alliance?

Patchstack Alliance is a community of ethical hackers and researchers who support the open web by finding and reporting vulnerabilities in WordPress plugins and themes.

All valid vulnerabilities are also publicly available in our vulnerability database.

The post Patchstack Alliance August Winners & Leaderboard appeared first on Patchstack.

Below you'll find the leaderboard and winners of July's bug hunt.

July 2022 summary

Our researchers caught some seriously big fish in July - one reported vulnerability was found in a plugin with more than 3 million active installs. The average active installation count per reported vulnerability was 141,903.

This goes to show that bugs happen to the best of us - but as long as we take them seriously we can learn from our mistakes and become better developers.

The highest CVSS score reported was 9.1, which indicates critical severity. The plugin that contained that particular bug had 600,000+ active installs.

Besides the main prizes for the Alliance points each month, we have special bounties for vulnerabilities with the highest active install count and highest CVSS severity base score. This month once again Yeraisci managed to nab both prizes!

Leaderboard and winners

Without further ado, here are July's top bug hunters:

Thanks to all researchers who submitted vulnerability reports last month!

If you want to compete in the bug hunt and contribute to making WordPress safer, you can join the Patchstack Alliance here.

What is Patchstack Alliance?

Patchstack Alliance is a community of ethical hackers and researchers who support the open web by finding and reporting vulnerabilities in WordPress plugins and themes.

All valid vulnerabilities are also publicly available in our vulnerability database.

The post Patchstack Alliance July Winners & Leaderboard appeared first on Patchstack.

Each month we give out rewards and recognition to our community of researchers for their contributions to finding WordPress vulnerabilities.

Below you'll find the leaderboard and winners of June's bug hunt.

What is Patchstack Alliance?

Patchstack Alliance is a community of ethical hackers and researchers who support the open web by finding and reporting vulnerabilities in WordPress plugins and themes.

In doing so, we help protect WordPress websites from attacks.

June 2022 summary

Our researchers had a pretty spicy month - a few of the reported vulnerable plugins had more than 100,000 active installations, and one of them even had more than 800,000 active installs.

We can say that in June, our researchers reported software that affects more than one million active websites on the Internet. Average active installation count per reported vulnerability - 79021 websites.

Let's talk about other numbers. To measure the severity of each vulnerability, we use the CVSS (ver. 3.1) scheme and calculator. The highest CVSS score vulnerability reported by Alliance researchers in June had 9.3 (critical) base score points. It was for the plugin that has 20,000 active installs.

One of the most impressive reports we received in June had a plugin vulnerability with a 9.1 (critical) base score at a whooping 100,000 active installs!

The average CVSS base score for reports received in June was 5.2 (medium).

Besides the main prizes for the Alliance points each month, we have special bounties for vulnerabilities with the highest active install count and highest CVSS severity base score. Both special prizes were won by Rafie Muhammad, aka Yeraisci, who also took the top spot on the leaderboard this month!

Well done, Rafie - you, sir, are on a roll.

Leaderboard and winners

June's leaderboard is as follows

Thanks to all researchers who submitted vulnerability reports last month!

If you want to compete in the bug hunt and contribute to making WordPress safer, you can join the Patchstack Alliance here.

All valid vulnerabilities are also publicly available in our vulnerability database.

The post Patchstack Alliance - June Winners and Leaderboard appeared first on Patchstack.

Introduction

1.1. Patchstack operates a public Bug Bounty Program focused on open-source software, primarily vulnerabilities within the WordPress ecosystem. More information is available at: https://patchstack.com/bug-bounty/

1.2. The program includes monthly competitions and occasional custom events throughout the year. Participation is open to anyone who submits valid and unique vulnerabilities in accordance with these rules.

1.3. All program operations, timelines, and communications follow Coordinated Universal Time (UTC).

1.4. Patchstack reserves the right to change or update these rules at any time, without prior notice.

1.5. All valid, in-scope vulnerabilities submitted through the Patchstack Bug Bounty Program will be publicly disclosed in the Patchstack Vulnerability Database.

1.6. Patchstack is a CVE Numbering Authority (CNA). This means that each valid, in-scope vulnerability will receive a unique CVE ID and be published in the CVE database, provided no conflicts exist with previously issued CVEs.

1.7. CVE assignment follows official CVE Program rules, with the following exception - assignment may be delayed to prevent CVE conflicts between multiple CNAs operating in the same ecosystem (for example, WordPress).

1.8. By participating in the Patchstack Bug Bounty Program, researchers can earn bounties by reporting valid, unique, and impactful security issues affecting in-scope components such as WordPress core, plugins, and themes.

1.9. By submitting a vulnerability to the Patchstack Bug Bounty Program, you agree to comply with all rules outlined in this document and any related documents.

Reporting Protocol

2.1. All vulnerability reports must be submitted ONLY through the official reporting form - https://patchstack.com/database/report

2.2. Reports sent via email or any other channel will not be accepted.

2.3. A researcher account is created automatically after at least one valid, in-scope vulnerability is submitted. You can access your account any time via this link - https://vdp.patchstack.com/researchers/login by using the email address you're using for vulnerability reporting.

2.4. Each researcher may operate only one account. Creating or using multiple accounts may result in immediate suspension of all related accounts.

2.5. Participation is open to individuals and companies that follow and respect the program rules.

2.6. Reports must be submitted by individual researchers or organizations. Team submissions are not supported, as the monthly competition system does not allow team-based point calculations.

Scope

3.1. The Patchstack Bug Bounty Program accepts vulnerability reports for components in the WordPress ecosystem, including:

• WordPress core
• WordPress plugins (free/premium)
• WordPress themes (free/premium)

3.2. A vulnerability is considered valid only if it has a clear and measurable security impact.

3.3. Both free and premium plugins and themes are accepted. For premium components, researchers must provide the original, unmodified archive file for validation. If a theme depends on specific plugins, those plugins must also be provided.

⚠️ 3.4. The following are not accepted:

• ⚠️ Vulnerabilities with a CVSS v3.1 base score lower than 6.5 are not accepted.
• ⚠️ Components with fewer than 1,000 active installs are generally considered out of scope. Exceptions may be made for reports with a CVSS base score of 8.5 or higher, provided the required privileges do not exceed Unauthenticated, Subscriber, or Customer roles and install count is not lower than 100 active installs.
• ⚠️ Only vulnerabilities that can be exploited by unauthenticated users or by users with default Subscriber or Customer roles are eligible. Reports requiring Contributor-level access are accepted only if the CVSS base score is 7.5 or higher. Vulnerabilities requiring roles with higher privileges are out of scope.
• ⚠️ Reports involving custom roles are accepted only if the role provided by the affected component has capabilities equivalent or closely aligned with those of the Subscriber or Customer roles. Reports involving roles with capabilities exceeding those of the default Subscriber or Customer roles are not accepted.

• CSV injection vulnerabilities, as they depend on external actions outside WordPress and cannot be reliably evaluated.
• IP spoofing issues, unless they directly affect a feature that relies on IP integrity (such as IP-based blocking) and is explicitly intended to resist spoofing.
• Race condition vulnerabilities with a CVSS v3.1 base score below 7.1, unless a clear security impact is demonstrated.
  CAPTCHA or any other version of Turing test bypass.
• Arbitrary user registration by unprivileged/unauthenticated users, unless the vulnerability results in the creation of an arbitrary administrator account.
• Authenticated (Contributor or higher) shortcode preview issues, unless sensitive or security-related information (such as PII) is disclosed with measurable impact (this limitation does not apply to XSS vulnerabilities).
• CSRF or Broken Access Control issues that only dismiss notices, unless the dismissal creates a real security impact.
• IP bypass issues affecting non-critical actions (such as likes, views, or counters).
• If the last version of the component was released more than three years ago.
• If vulnerability doesn't exist in the latest version (for example patched by vendor, but never disclosed).
• The component must be publicly available through WordPress.org, the vendor’s official website, or another publicly accessible source such as GitHub, CodeCanyon, or ThemeForest. Custom-made, modified, or private components that are not publicly distributed are not accepted.

Uniqueness Requirement

4.1. All reported vulnerabilities must be new and unique and must not have been previously reported or publicly disclosed.

4.2. Exceptions apply if the vulnerability was first reported directly to the vendor prior to submission to Patchstack. Such reports are accepted only if the vendor confirms the vulnerability and indicates a willingness to patch it. This requirement is mandatory for components developed or owned by Automattic, which must first be reported through Automattic’s HackerOne program.

4.3. If researcher account is suspended, all associated XP, vulnerability reports, and CVE assignments remain permanently linked to that account. They cannot be transferred or reassigned.

4.4. If multiple researchers report the same vulnerability (even across different parameters or endpoints), credit is given to the first valid submission. Attempts to manipulate the system, such as using multiple accounts or submitting duplicates across different bounty programs may result in penalties, including account suspension.

4.5. Incomplete patches that are publicly disclosed are not considered new vulnerabilities. However, if an incomplete patch introduces a new attack vector that was not possible before, it may be considered a new vulnerability.

Quality Assurance

5.1. All reports must be submitted using the official reporting form and must follow the form’s requirements: https://patchstack.com/database/report

5.2. Reports must be complete, accurate, and reproducible. Incomplete reports will be rejected. Researchers are given up to two chances to fix and resubmit rejected reports.

5.3. Each report must include:

• A clear, step-by-step text-based proof of concept (PoC)
• Steps starting from plugin or theme installation and ending with successful exploitation
• All required raw HTTP request(s) in text form
• The exact payload(s) used during testing
• Video screenshots are highly appreciated

⚠️ 5.4. Repeated submission of false-positive vulnerability reports, or a high rate of false positives (5% or higher), will result in the researcher being removed from the leaderboard for one month, with a cooldown period applied (no reports accepted).
⚠️ 5.5. If same malicious behavior persists, the researcher will be permanently banned from the Patchstack Bug Bounty Program and the Patchstack Alliance community. Any pending bounties, if applicable, will be returned to the bug bounty pool.
⚠️ 5.6. Researchers who disregard the Patchstack mVDP by reporting or selling vulnerabilities to any third party will be permanently banned from the Patchstack Bug Bounty Program and the Patchstack Alliance community. Their accounts will be deleted, and any associated achievements will be removed.

Rejection Criteria

6.1. Reports may be rejected for reasons including, but not limited to:

• Incomplete or inaccurate information
• Invalid vulnerability claims
• Use of non-standard or modified user roles
• Reports for closed or inaccessible plugins or themes are not accepted.
• Patchstack may reject reports if the affected component is not publicly distributed through WordPress.org, Envato, GitHub, or another widely recognized repository.
• Reports submitted by the vendor or developer of the affected component are accepted for disclosure purposes but are not eligible for bounties.

Vendor Engagement

7.1. Patchstack will use the most efficient publicly listed vendor contact channels for vulnerability reporting.

7.2. Contact methods that require account registration will be ignored.

7.3. If no contact details are available, the vulnerability may be disclosed immediately.

7.4. Vendors are notified once. It is the vendor’s responsibility to patch the issue promptly.

CVE Assignment

8.1. CVE IDs are assigned only after confirming there are no conflicts with existing CVEs. Assignment may be delayed to prevent duplicate CVE IDs across multiple CNAs.

8.2. If multiple researchers report the same vulnerability, the CVE is assigned to the first valid report. All later submissions are rejected.

8.3. Researchers may disclose vulnerabilities already reported to other programs by selecting the appropriate option during submission. In such cases, the vulnerability may be listed without a CVE ID.

Research Points (XP)

9.1. XP (Research Points) are awarded for valid vulnerability reports and are used to determine competition rankings and winners on monthly competitions and custom events.

9.2. XP calculations are based on several factors, described below.

9.3. XP calculated by adding multipliers (listed below) to the initial CVSS base score number.

CVSS Base Score (v3.1)

10.1. The CVSS v3.1 is the primary indicator of severity and must be calculated using the official calculator: https://www.first.org/cvss/calculator/3.1

10.2. We are using only CVSS base score for all the calculations.

Active Install Count

11.1. Each range applies a multiplier to the final XP score

11.2. For premium products, active installs are estimated based on sales volume.

Privilege Requirement Coefficients

12.1. XP multipliers are applied based on the minimum privilege level required to exploit the vulnerability.

Vulnerability Type Coefficients

13.1. XP multipliers are applied based on vulnerability type.

13.2. If a CSRF vulnerability leads to another vulnerability type (for example, CSRF leading to RCE), both multipliers apply.

13.3. If install or sales numbers cannot be reliably determined, Patchstack may use public data sources such as Google SERPs or PublicWWW.

13.4. XP is calculated monthly or within the timeframe of a specific custom event. Ongoing results appear on the leaderboard: https://patchstack.com/database/leaderboard

13.5. Final results are announced after all reports are validated (up to 10 business days if a backlog of reports requires more time for processing).

Disclosure

14.1. All vulnerabilities are publicly disclosed to the Patchstack Vulnerability Database according to the Patchstack Vulnerability Disclosure Policy.

14.2. Disclosure may be delayed until a fix is released and sufficient user adoption is observed.

14.3. Policy details: https://patchstack.com/patchstack-vulnerability-disclosure-policy/

14.4. Researchers must not disclose vulnerability details to any third parties before official public disclosure by Patchstack, which occurs when the vulnerability is publicly visible in the Patchstack Vulnerability Database and the assigned CVE is published.

14.5. To comply with EU CRA requirements all publications will be instant once the patch is released and validated (or released after validation).

14.6. The patch must be released as a dedicated update containing only security-related changes, with no additional code modifications. The version number or changelog description must clearly indicate that the release is a security fix.

Escalation Protocol

15.1. If a vendor does not respond within 14 days, Patchstack may proceed with public disclosure and may notify relevant security teams.

15.2. For components enrolled in Patchstack mVDP, disclosure timelines may be extended. Disclosure may be accelerated in cases of active exploitation or third-party disclosure.

15.3. If a vendor overlooks a report and the vulnerability is publicly disclosed, they may contact us at [email protected] to receive prompt assistance with vulnerability details, quick patch validation, and issue resolution.

Attribution

16.1. Public disclosures include researcher attribution using the provided name or nickname, and include ‘Patchstack Bug Bounty Program’ for program recognition.

16.2. CVE IDs are published in the global CVE database after disclosure with the same researcher data as in the Patchstack Vulnerability Database entry.

Monthly Competition

17.1. Monthly competitions run from the first day of the month at 00:00 UTC to the last day at 23:59 UTC.

17.2. Results are announced on the Patchstack Alliance Discord server.

17.3. Patchstack guarantees a minimum monthly bounty pool of $8,800, distributed based on final rankings.

17.4. Leaderboard: https://patchstack.com/database/leaderboard

Custom Events, Challenges

18.1. Custom events and CTF games are announced on Discord as well as their rules.

18.2. Custom challenges might be announced for extra bounties as a part of monthly competition.

Monthly Bounty Pool

19.1. Monthly bounties are distributed based on final leaderboard rankings as follows:

19.2. A random bounty of $50 is awarded to one randomly selected researcher outside the top 20 rankings who has submitted at least one valid report with XP greater than 0.

19.3. High-impact vulnerabilities may be eligible for individual bounty rewards even if they do not qualify for the Zeroday program. Such cases are evaluated individually and must be discussed by opening a support ticket on the Patchstack Alliance Discord server in the #support channel.

XP Requirement

20.1. Bounties are paid only if the researcher has more than 0 XP for the respective month. If a researcher has 0 XP, no bounty will be paid, even if their leaderboard position qualifies for a reward. This rule also applies to random rewards.

Level Rewards

21.1. Researchers receive passive rewards for accumulating XP and progressing through levels. XP is earned through:

• Monthly competitions
• Custom events
• Patchstack Zeroday bounties

21.2. Levels reset to Level 1 at the beginning of each year. Updated level-related rules are announced after final monthly and yearly results are confirmed.

21.3. Starting from Level 1, researchers unlock additional rewards. These rewards are paid together with monthly bounties.

Zeroday Bounties

22.1. Patchstack offers Zeroday bounties for high-impact vulnerabilities on a case-by-case basis (bounty per vulnerability).

22.2. Zeroday rewards are paid together with monthly bounties.

22.3. Zeroday Bounties are:

22.4. Zeroday bounty requirements are

• To qualify for a Zeroday bounty, all of the following conditions must be met:

• The component is a free or premium WordPress plugin, theme, or WordPress core
  (excluding components hosted in private, non-public repositories)
• The vulnerability leads to a full site compromise, including the ability to upload and access a functional backdoor
• Exploitable by:
  • Unauthenticated users, or
  • Subscriber / Customer (WooCommerce) roles or lower
• The report includes a working exploit
• No prerequisites are required:
  • Latest stable version
  • Default settings
  • Common environment
  • No additional vulnerabilities required
• Exploitation does not require user interaction
• The vulnerability:
  • Has not been reported elsewhere
  • Is not previously known to the vendor
  • Is not publicly disclosed
• The vulnerability is eligible under all other Patchstack program rules
• End-of-life components or components not updated in the last three years are not accepted
• Any required POP chain must exist in:
  • The latest WordPress core version at the time of submission, or
  • The affected component itself
• A single vulnerability affecting multiple components is treated as one issue, resulting in:
  • One bounty payout
  • One CVE ID
  • Total active installs across all affected components used to calculate impact

22.5. Valid Zeroday vulnerabilities are not included into XP for the monthly competition or levels as they are rewarded separately.

22.6. XP points earned from Zero-day reports do not contribute to level progression (21. Level Rewards), as these reports are rewarded on a per-bounty, per-report basis.

Benefits of Participation

23.1. Participation provides opportunities to:

• Earn financial rewards
• Gain public recognition
• Receive CVE IDs for valid vulnerabilities
• Contribute to improving the security of the WordPress ecosystem and open-source in general
• Engage with the Patchstack research community

Membership

24.1. Membership in the Patchstack Alliance is open to individuals committed to improving WordPress security and complying with program requirements. Members receive access to Discord member-only channels.

24.2. Patchstack reserves the right to remove or ban any researcher from the public Discord channels dedicated to the Alliance community and the Bug Bounty program (including account deletion) in cases of inappropriate behavior, violations of applicable rules, or failure to adhere to the ethical standards of responsible vulnerability disclosure.

Payouts

25.1. Bounties are paid via PayPal by default. Researchers are responsible for managing their PayPal accounts, complying with all local tax obligations.

25.2. If a PayPal account is blocked, restricted, or frozen due to sanctions, Patchstack will attempt to complete payment within three months. After three months, unpaid bounties are returned to the bounty pool.

25.3. For bounties of $500 or higher we offer two more payment options:

• Bank transfer payments
• Cryptocurrency payments (Bitcoin or Ethereum) are processed using the exchange rate available at the time of payment. Patchstack is not responsible for any decrease in cryptocurrency value. By choosing this payout method, you acknowledge and accept all associated risks.

25.4. Invoice is mandatory despite the payment method, PayPal has its own integrated invoicing engine, for other payments you need to generate invoices on your own. All payments require an invoice. Payments are not processed without one.

25.5. Invoices must include:

• Full name
• Country and address
• Addressed to: Patchstack OÜ
• Payment purpose:
  “Security research (your name or nickname used in the program)”

25.6. Payments are processed 30 days after final results are announced.

25.7. Additional payment guidance:
https://www.notion.so/patchstack/Patchstack-Alliance-payments-b6d63c55099e4f65b842bc5ce60de2d7

Communication

26.1. Official updates are shared via:

• Discord: https://discord.gg/rkE8yxtNmS
• X (Twitter): https://twitter.com/patchstackapp
• Facebook: https://www.facebook.com/patchstackapp
• LinkedIn: https://www.linkedin.com/company/patchstack/

26.2. Support is available via Discord support tickets on #support channel.

26.3. Edge case or sensitive matter of question - [email protected]

The post Patchstack Bug Bounty Guidelines & Rules (2026 edition) appeared first on Patchstack.

Since then, we have received more than 1000 security reports and paid out $17,450 USD as cash rewards. This is all possible thanks to our dear partners who you can see here: https://patchstack.com/bug-bounty/

We didn’t stop there! We also kicked off an annual WP BUG HUNT where anyone who reports security issues has the potential to win infosec licenses, merch, and more!

Prizes for the WordPress Bug Hunt 2021

The WordPress Bug Hunt 2021 was not only for Patchstack Alliance members but for the entire WordPress ecosystem, so anyone who wanted to contribute could join.

All you needed to do was to report at least one valid security vulnerability within a WordPress core, any theme, or any plugin which we can then help the developers fix.

Everyone who reported more than 3 valid vulnerabilities got an invitation to the Patchstack Alliance program where monthly cash payouts are guaranteed to active members.

Winners of the WordPress Bug Hunt 2021 prizes are picked randomly from everyone who participated. The kickoff season had the following prizes:

• 1 x HAK5 Essentials Field Kit
• 2 x BurpSuite PRO annual license
• 2 x PentesterLab PRO annual license
• 3 x Patchstack hoodie
• 3 x Patchstack water bottle

The winners of WordPress Bug Hunt 2021

First of all, we’d like to thank all of our partners, community members, and supporters who have helped us with the program and who deeply care about WordPress and open-source security.

We’d like to bring out some of the biggest supporters such as Plesk, Pagely, Veebimajutus, GridPane, SecuPress, ShieldSecurity, and Themecloud. The entire WordPress ecosystem thanks you for your contribution!

Winners:

1 x HAK5 Essentials Field Kit - Tien Nguyen Anh

1 x BurpSuite PRO annual license - Julio Potier (SecuPress)

1 x BurpSuite PRO annual license - Ahmed Ibrahim

1 x PentesterLab PRO annual license - Asif Nawaz Minhas

1 x PentesterLab PRO annual license - Philippe Dourassov

Patchstack hoodie - ptsfense

Patchstack hoodie - Jeong Won Jun

Patchstack hoodie - Lenon Leite

Patchstack water bottle - Rasi Afeef

Patchstack water bottle - Nguyen Van Khanh

Patchstack water bottle - Huli

Congratulations to everyone and thank you for participating! Patchstack will reach out to each and every one of you directly!

Patchstack Alliance becomes more open

We will announce the next season of WordPress Bug Hunt soon... but before that, we’ll make the entire Patchstack Alliance program more accessible to everyone.

Access to the community & monthly cash prizes is now available to anyone who reports at least 1 valid vulnerability.

Additionally to the guaranteed monthly cash prizes, we have introduced special bounties for:

• Vulnerability with the highest installation count*
• Vulnerability that affects most (more than one) plugins*
• Vulnerability with the highest CVSS (3.1) severity*

More information about Patchstack Alliance and how to get involved can be found here: https://patchstack.com/bug-bounty/

If you care about WordPress and open-source security and would like to support the Patchstack Alliance program - please let us know!

The post Winners Of WordPress Bug Hunt 2021 appeared first on Patchstack.

Exactly 1 year ago, Patchstack kicked off a bug hunting community that gathered together ethical hackers who contribute to making the WordPress ecosystem more secure.

After an exciting year of working together with researchers all around the world, we learned that this initiative could have an even bigger impact.

Our initiative was originally named “Patchstack Red Team”. We have learned that many developers who build plugins in the WordPress ecosystem are equally interested to contribute, but they don’t identify themselves as security researchers or red-teamers.

With these learnings, we’ve realized that our initiative is more about connecting multiple groups and not so much about a single identifiable group of people.

Renaming Patchstack Red Team to Patchstack Alliance

Our vision is to build the bridge between ethical hackers and plugin vendors. Our goal is to create an alliance between ethical hackers, plugin vendors, and hosting companies so together we can make the WordPress ecosystem more secure.

This will not change anything for the current Alliance (formerly Red Team) members, but one could expect our community to get much more diverse over the upcoming months. We have been working on this for quite some time and in Q2 2022 we will be announcing more.

We are very excited about what is coming - if you’re an ethical hacker, security researcher, plugin developer, theme developer, or hosting provider, make sure to stay tuned, and let’s make the WordPress and open-source ecosystem safer together!

More than $13,000 paid in bounties in the first year

In the first year of operating, we’ve received over 1000 reports from the community and have paid out more than $13,000 USD as bounties.

We’d like to thank our whole community that has come together from Germany, France, Russia, Portugal, Brazil, Vietnam, Columbia, Netherlands, India, Estonia, Lithuania, Myanmar, Thailand, Malaysia, China, Indonesia. You’re awesome!

We also want to thank all our partners who have been supporting us: Pagely, Plesk, Veebimajutus, cPanel, GridPane, Shield Security, EWWW Image Optimizer, Cloudways, SecuPress, and Themecloud. Thank you!

If you’re reading this and want to get involved let’s have a chat: https://app.harmonizely.com/patchstack/alliance

The post Patchstack Red Team Is Now Patchstack Alliance appeared first on Patchstack.

Patchstack Alliance is a community of independent security researchers who contribute to building a safer web.

The Alliance members identify and report security vulnerabilities in WordPress plugins and themes to help software vendors address security issues before they pose risk to users and to the public.

What is your story about getting into cybersecurity?

My background comes from web development, so I started developing in PHP, most of the time using WordPress.

I've always been interested in security. The main goal has not been about exploiting the vulnerabilities, but more about understanding them.

I started doing publications for Exploit-DB, WPScan, some talks on WordCamps until I got here.

What are your hobbies, what you're doing in your free time?

Nowadays, I like traveling, discovering new places and new cultures. I'm always looking for a good music festival in different places. Sometimes I play my CDJ.

Every other day I usually exercise in the gym or go for a run.

What are your favorite movies and PC games?

Under favorite movie/series/book I'd list these three:

1. Mr Robot
2. Silk Road (a movie based on the real history of Ross Ulbricht)
3. The KingPin (book - The KingPin, real-life computer hacker Max Butler)

I don't like games too much, but I would say my top three are:

1. Age of Empires II
2. Age of Empires III
3. Counter-Strike

If you'd decide to change your profession what would that profession be?

This is a hard question. I guess I'd sell coconuts on some beach.

Just kidding! Maybe something in the field of finance or something connected to sports or music.

Have you attended or spoken on any WordCamps?

I prepared to go to WordCamp in 2020, but the pandemic came and I ended up not submitting my speaker proposal.

But yes, I have already spoken in 4 WordCamps and I do intend to speak this year (June 2-4, 2022 in Porto, Portugal). It would be like a small goal, but if it's not possible I’ll go and visit other WordCamps around the world.

What kind of vulnerabilities do you like to search for, and why?

I enjoy finding vulnerabilities related to file handling.

Like, delete, copy, rename, read, download. I like this type of vulnerability because the way to write code to protect against those is very different from XSS and SQL Injection (most common vulnerabilities).

There is usually no code or structure that blocks this.

What kind of tools do you use?

Like everyone else, I use Burp. But I have also developed a SAST (Static Application Security Testing). So I take code patterns that I know are vulnerable and look for new ways for this pattern. After that, I insert the new pattern in this system to find the same vulnerability in other systems.

Any suggestions to other cyber security researchers who are just starting their career path?

My suggestion to get started is to contribute to communities or on GitHub. The more you give, the more the world will give back to you. It's a way for you to learn, and show yourself to the market.

Do you enjoy being part of Patchstack Alliance? Would you recommend other researchers to join?

I like it and I recommend it too. It's a group of highly capable people with incredible skills, it's where the deepest information appears and is discussed clearly.

It's a place to exchange experiences and every day someone has something nice to share.

The post Patchstack Alliance (Red Team) Interview With Lenon Leite appeared first on Patchstack.