So in that spirit, we're very excited to announce that we now have a partnership with WPMU DEV - their Defender Pro security plugin now uses Patchstack's vulnerability intelligence feed to help protect their users' sites.

How does it work?

Defender Pro is a WordPress security plugin that lets users monitor and manage their website's security from one dashboard, from running scans to managing blocklists and firewalls.

It uses Patchstack's vulnerability feed to identify vulnerable WordPress components in those websites using. If any vulnerabilities are found it they show up in the Defender Pro dashboard:

It can also send users email notifications about any vulnerable components. From the dashboard, users can then update the components to a safe version.

The integration is already live for all Defender Pro customers, as long as you're running the latest version. For more information on how vulnerability detection works you can read WPMU DEV's announcement post.

About WPMU DEV

WPMU DEV is a leading provider of WordPress plugins, hosting and site management tools. In addition to its products, the company also offers 24/7 support and a wealth of tutorials and resources to help users get the most out of their sites, and grow their online businesses.

A strategic view on security

Our partnership with WPMU DEV is one more step toward building a bigger safety net around the WordPress community. It follows collaboration with hosting services like Plesk, Hostinger, One.com, and others.

We're not just working together with hosts and WP management tools on this - there are many ways you can contribute to open-source security.

If you're a security researcher, you can join Patchstack Alliance, our bug bounty program, to report vulnerabilities and earn rewards.

If you're a plugin developer, join our recently launched mVDP program that makes it easier to manage and address vulnerability reports for your plugins - which in turn is a great way to show that you are taking the security of your projects seriously.

The post WPMU DEV's Defender Pro Now Powered by Patchstack's Vulnerability Feed appeared first on Patchstack.

Each month we give out rewards and recognition to our community of researchers for their contributions to finding WordPress vulnerabilities.

Below you'll find the leaderboard and winners of June's bug hunt.

What is Patchstack Alliance?

Patchstack Alliance is a community of ethical hackers and researchers who support the open web by finding and reporting vulnerabilities in WordPress plugins and themes.

In doing so, we help protect WordPress websites from attacks.

June 2022 summary

Our researchers had a pretty spicy month - a few of the reported vulnerable plugins had more than 100,000 active installations, and one of them even had more than 800,000 active installs.

We can say that in June, our researchers reported software that affects more than one million active websites on the Internet. Average active installation count per reported vulnerability - 79021 websites.

Let's talk about other numbers. To measure the severity of each vulnerability, we use the CVSS (ver. 3.1) scheme and calculator. The highest CVSS score vulnerability reported by Alliance researchers in June had 9.3 (critical) base score points. It was for the plugin that has 20,000 active installs.

One of the most impressive reports we received in June had a plugin vulnerability with a 9.1 (critical) base score at a whooping 100,000 active installs!

The average CVSS base score for reports received in June was 5.2 (medium).

Besides the main prizes for the Alliance points each month, we have special bounties for vulnerabilities with the highest active install count and highest CVSS severity base score. Both special prizes were won by Rafie Muhammad, aka Yeraisci, who also took the top spot on the leaderboard this month!

Well done, Rafie - you, sir, are on a roll.

Leaderboard and winners

June's leaderboard is as follows

Thanks to all researchers who submitted vulnerability reports last month!

If you want to compete in the bug hunt and contribute to making WordPress safer, you can join the Patchstack Alliance here.

All valid vulnerabilities are also publicly available in our vulnerability database.

The post Patchstack Alliance - June Winners and Leaderboard appeared first on Patchstack.

Introduction

1.1. Patchstack operates a public Bug Bounty Program focused on open-source software, primarily vulnerabilities within the WordPress ecosystem. More information is available at: https://patchstack.com/bug-bounty/

1.2. The program includes monthly competitions and occasional custom events throughout the year. Participation is open to anyone who submits valid and unique vulnerabilities in accordance with these rules.

1.3. All program operations, timelines, and communications follow Coordinated Universal Time (UTC).

1.4. Patchstack reserves the right to change or update these rules at any time, without prior notice.

1.5. All valid, in-scope vulnerabilities submitted through the Patchstack Bug Bounty Program will be publicly disclosed in the Patchstack Vulnerability Database.

1.6. Patchstack is a CVE Numbering Authority (CNA). This means that each valid, in-scope vulnerability will receive a unique CVE ID and be published in the CVE database, provided no conflicts exist with previously issued CVEs.

1.7. CVE assignment follows official CVE Program rules, with the following exception - assignment may be delayed to prevent CVE conflicts between multiple CNAs operating in the same ecosystem (for example, WordPress).

1.8. By participating in the Patchstack Bug Bounty Program, researchers can earn bounties by reporting valid, unique, and impactful security issues affecting in-scope components such as WordPress core, plugins, and themes.

1.9. By submitting a vulnerability to the Patchstack Bug Bounty Program, you agree to comply with all rules outlined in this document and any related documents.

Reporting Protocol

2.1. All vulnerability reports must be submitted ONLY through the official reporting form - https://patchstack.com/database/report

2.2. Reports sent via email or any other channel will not be accepted.

2.3. A researcher account is created automatically after at least one valid, in-scope vulnerability is submitted. You can access your account any time via this link - https://vdp.patchstack.com/researchers/login by using the email address you're using for vulnerability reporting.

2.4. Each researcher may operate only one account. Creating or using multiple accounts may result in immediate suspension of all related accounts.

2.5. Participation is open to individuals and companies that follow and respect the program rules.

2.6. Reports must be submitted by individual researchers or organizations. Team submissions are not supported, as the monthly competition system does not allow team-based point calculations.

Scope

3.1. The Patchstack Bug Bounty Program accepts vulnerability reports for components in the WordPress ecosystem, including:

• WordPress core
• WordPress plugins (free/premium)
• WordPress themes (free/premium)

3.2. A vulnerability is considered valid only if it has a clear and measurable security impact.

3.3. Both free and premium plugins and themes are accepted. For premium components, researchers must provide the original, unmodified archive file for validation. If a theme depends on specific plugins, those plugins must also be provided.

⚠️ 3.4. The following are not accepted:

• ⚠️ Vulnerabilities with a CVSS v3.1 base score lower than 6.5 are not accepted.
• ⚠️ Components with fewer than 1,000 active installs are generally considered out of scope. Exceptions may be made for reports with a CVSS base score of 8.5 or higher, provided the required privileges do not exceed Unauthenticated, Subscriber, or Customer roles and install count is not lower than 100 active installs.
• ⚠️ Only vulnerabilities that can be exploited by unauthenticated users or by users with default Subscriber or Customer roles are eligible. Reports requiring Contributor-level access are accepted only if the CVSS base score is 7.5 or higher. Vulnerabilities requiring roles with higher privileges are out of scope.
• ⚠️ Reports involving custom roles are accepted only if the role provided by the affected component has capabilities equivalent or closely aligned with those of the Subscriber or Customer roles. Reports involving roles with capabilities exceeding those of the default Subscriber or Customer roles are not accepted.

• CSV injection vulnerabilities, as they depend on external actions outside WordPress and cannot be reliably evaluated.
• IP spoofing issues, unless they directly affect a feature that relies on IP integrity (such as IP-based blocking) and is explicitly intended to resist spoofing.
• Race condition vulnerabilities with a CVSS v3.1 base score below 7.1, unless a clear security impact is demonstrated.
  CAPTCHA or any other version of Turing test bypass.
• Arbitrary user registration by unprivileged/unauthenticated users, unless the vulnerability results in the creation of an arbitrary administrator account.
• Authenticated (Contributor or higher) shortcode preview issues, unless sensitive or security-related information (such as PII) is disclosed with measurable impact (this limitation does not apply to XSS vulnerabilities).
• CSRF or Broken Access Control issues that only dismiss notices, unless the dismissal creates a real security impact.
• IP bypass issues affecting non-critical actions (such as likes, views, or counters).
• If the last version of the component was released more than three years ago.
• If vulnerability doesn't exist in the latest version (for example patched by vendor, but never disclosed).
• The component must be publicly available through WordPress.org, the vendor’s official website, or another publicly accessible source such as GitHub, CodeCanyon, or ThemeForest. Custom-made, modified, or private components that are not publicly distributed are not accepted.

Uniqueness Requirement

4.1. All reported vulnerabilities must be new and unique and must not have been previously reported or publicly disclosed.

4.2. Exceptions apply if the vulnerability was first reported directly to the vendor prior to submission to Patchstack. Such reports are accepted only if the vendor confirms the vulnerability and indicates a willingness to patch it. This requirement is mandatory for components developed or owned by Automattic, which must first be reported through Automattic’s HackerOne program.

4.3. If researcher account is suspended, all associated XP, vulnerability reports, and CVE assignments remain permanently linked to that account. They cannot be transferred or reassigned.

4.4. If multiple researchers report the same vulnerability (even across different parameters or endpoints), credit is given to the first valid submission. Attempts to manipulate the system, such as using multiple accounts or submitting duplicates across different bounty programs may result in penalties, including account suspension.

4.5. Incomplete patches that are publicly disclosed are not considered new vulnerabilities. However, if an incomplete patch introduces a new attack vector that was not possible before, it may be considered a new vulnerability.

Quality Assurance

5.1. All reports must be submitted using the official reporting form and must follow the form’s requirements: https://patchstack.com/database/report

5.2. Reports must be complete, accurate, and reproducible. Incomplete reports will be rejected. Researchers are given up to two chances to fix and resubmit rejected reports.

5.3. Each report must include:

• A clear, step-by-step text-based proof of concept (PoC)
• Steps starting from plugin or theme installation and ending with successful exploitation
• All required raw HTTP request(s) in text form
• The exact payload(s) used during testing
• Video screenshots are highly appreciated

⚠️ 5.4. Repeated submission of false-positive vulnerability reports, or a high rate of false positives (5% or higher), will result in the researcher being removed from the leaderboard for one month, with a cooldown period applied (no reports accepted).
⚠️ 5.5. If same malicious behavior persists, the researcher will be permanently banned from the Patchstack Bug Bounty Program and the Patchstack Alliance community. Any pending bounties, if applicable, will be returned to the bug bounty pool.
⚠️ 5.6. Researchers who disregard the Patchstack mVDP by reporting or selling vulnerabilities to any third party will be permanently banned from the Patchstack Bug Bounty Program and the Patchstack Alliance community. Their accounts will be deleted, and any associated achievements will be removed.

Rejection Criteria

6.1. Reports may be rejected for reasons including, but not limited to:

• Incomplete or inaccurate information
• Invalid vulnerability claims
• Use of non-standard or modified user roles
• Reports for closed or inaccessible plugins or themes are not accepted.
• Patchstack may reject reports if the affected component is not publicly distributed through WordPress.org, Envato, GitHub, or another widely recognized repository.
• Reports submitted by the vendor or developer of the affected component are accepted for disclosure purposes but are not eligible for bounties.

Vendor Engagement

7.1. Patchstack will use the most efficient publicly listed vendor contact channels for vulnerability reporting.

7.2. Contact methods that require account registration will be ignored.

7.3. If no contact details are available, the vulnerability may be disclosed immediately.

7.4. Vendors are notified once. It is the vendor’s responsibility to patch the issue promptly.

CVE Assignment

8.1. CVE IDs are assigned only after confirming there are no conflicts with existing CVEs. Assignment may be delayed to prevent duplicate CVE IDs across multiple CNAs.

8.2. If multiple researchers report the same vulnerability, the CVE is assigned to the first valid report. All later submissions are rejected.

8.3. Researchers may disclose vulnerabilities already reported to other programs by selecting the appropriate option during submission. In such cases, the vulnerability may be listed without a CVE ID.

Research Points (XP)

9.1. XP (Research Points) are awarded for valid vulnerability reports and are used to determine competition rankings and winners on monthly competitions and custom events.

9.2. XP calculations are based on several factors, described below.

9.3. XP calculated by adding multipliers (listed below) to the initial CVSS base score number.

CVSS Base Score (v3.1)

10.1. The CVSS v3.1 is the primary indicator of severity and must be calculated using the official calculator: https://www.first.org/cvss/calculator/3.1

10.2. We are using only CVSS base score for all the calculations.

Active Install Count

11.1. Each range applies a multiplier to the final XP score

11.2. For premium products, active installs are estimated based on sales volume.

Privilege Requirement Coefficients

12.1. XP multipliers are applied based on the minimum privilege level required to exploit the vulnerability.

Vulnerability Type Coefficients

13.1. XP multipliers are applied based on vulnerability type.

13.2. If a CSRF vulnerability leads to another vulnerability type (for example, CSRF leading to RCE), both multipliers apply.

13.3. If install or sales numbers cannot be reliably determined, Patchstack may use public data sources such as Google SERPs or PublicWWW.

13.4. XP is calculated monthly or within the timeframe of a specific custom event. Ongoing results appear on the leaderboard: https://patchstack.com/database/leaderboard

13.5. Final results are announced after all reports are validated (up to 10 business days if a backlog of reports requires more time for processing).

Disclosure

14.1. All vulnerabilities are publicly disclosed to the Patchstack Vulnerability Database according to the Patchstack Vulnerability Disclosure Policy.

14.2. Disclosure may be delayed until a fix is released and sufficient user adoption is observed.

14.3. Policy details: https://patchstack.com/patchstack-vulnerability-disclosure-policy/

14.4. Researchers must not disclose vulnerability details to any third parties before official public disclosure by Patchstack, which occurs when the vulnerability is publicly visible in the Patchstack Vulnerability Database and the assigned CVE is published.

14.5. To comply with EU CRA requirements all publications will be instant once the patch is released and validated (or released after validation).

14.6. The patch must be released as a dedicated update containing only security-related changes, with no additional code modifications. The version number or changelog description must clearly indicate that the release is a security fix.

Escalation Protocol

15.1. If a vendor does not respond within 14 days, Patchstack may proceed with public disclosure and may notify relevant security teams.

15.2. For components enrolled in Patchstack mVDP, disclosure timelines may be extended. Disclosure may be accelerated in cases of active exploitation or third-party disclosure.

15.3. If a vendor overlooks a report and the vulnerability is publicly disclosed, they may contact us at [email protected] to receive prompt assistance with vulnerability details, quick patch validation, and issue resolution.

Attribution

16.1. Public disclosures include researcher attribution using the provided name or nickname, and include ‘Patchstack Bug Bounty Program’ for program recognition.

16.2. CVE IDs are published in the global CVE database after disclosure with the same researcher data as in the Patchstack Vulnerability Database entry.

Monthly Competition

17.1. Monthly competitions run from the first day of the month at 00:00 UTC to the last day at 23:59 UTC.

17.2. Results are announced on the Patchstack Alliance Discord server.

17.3. Patchstack guarantees a minimum monthly bounty pool of $8,800, distributed based on final rankings.

17.4. Leaderboard: https://patchstack.com/database/leaderboard

Custom Events, Challenges

18.1. Custom events and CTF games are announced on Discord as well as their rules.

18.2. Custom challenges might be announced for extra bounties as a part of monthly competition.

Monthly Bounty Pool

19.1. Monthly bounties are distributed based on final leaderboard rankings as follows:

19.2. A random bounty of $50 is awarded to one randomly selected researcher outside the top 20 rankings who has submitted at least one valid report with XP greater than 0.

19.3. High-impact vulnerabilities may be eligible for individual bounty rewards even if they do not qualify for the Zeroday program. Such cases are evaluated individually and must be discussed by opening a support ticket on the Patchstack Alliance Discord server in the #support channel.

XP Requirement

20.1. Bounties are paid only if the researcher has more than 0 XP for the respective month. If a researcher has 0 XP, no bounty will be paid, even if their leaderboard position qualifies for a reward. This rule also applies to random rewards.

Level Rewards

21.1. Researchers receive passive rewards for accumulating XP and progressing through levels. XP is earned through:

• Monthly competitions
• Custom events
• Patchstack Zeroday bounties

21.2. Levels reset to Level 1 at the beginning of each year. Updated level-related rules are announced after final monthly and yearly results are confirmed.

21.3. Starting from Level 1, researchers unlock additional rewards. These rewards are paid together with monthly bounties.

Zeroday Bounties

22.1. Patchstack offers Zeroday bounties for high-impact vulnerabilities on a case-by-case basis (bounty per vulnerability).

22.2. Zeroday rewards are paid together with monthly bounties.

22.3. Zeroday Bounties are:

22.4. Zeroday bounty requirements are

• To qualify for a Zeroday bounty, all of the following conditions must be met:

• The component is a free or premium WordPress plugin, theme, or WordPress core
  (excluding components hosted in private, non-public repositories)
• The vulnerability leads to a full site compromise, including the ability to upload and access a functional backdoor
• Exploitable by:
  • Unauthenticated users, or
  • Subscriber / Customer (WooCommerce) roles or lower
• The report includes a working exploit
• No prerequisites are required:
  • Latest stable version
  • Default settings
  • Common environment
  • No additional vulnerabilities required
• Exploitation does not require user interaction
• The vulnerability:
  • Has not been reported elsewhere
  • Is not previously known to the vendor
  • Is not publicly disclosed
• The vulnerability is eligible under all other Patchstack program rules
• End-of-life components or components not updated in the last three years are not accepted
• Any required POP chain must exist in:
  • The latest WordPress core version at the time of submission, or
  • The affected component itself
• A single vulnerability affecting multiple components is treated as one issue, resulting in:
  • One bounty payout
  • One CVE ID
  • Total active installs across all affected components used to calculate impact

22.5. Valid Zeroday vulnerabilities are not included into XP for the monthly competition or levels as they are rewarded separately.

22.6. XP points earned from Zero-day reports do not contribute to level progression (21. Level Rewards), as these reports are rewarded on a per-bounty, per-report basis.

Benefits of Participation

23.1. Participation provides opportunities to:

• Earn financial rewards
• Gain public recognition
• Receive CVE IDs for valid vulnerabilities
• Contribute to improving the security of the WordPress ecosystem and open-source in general
• Engage with the Patchstack research community

Membership

24.1. Membership in the Patchstack Alliance is open to individuals committed to improving WordPress security and complying with program requirements. Members receive access to Discord member-only channels.

24.2. Patchstack reserves the right to remove or ban any researcher from the public Discord channels dedicated to the Alliance community and the Bug Bounty program (including account deletion) in cases of inappropriate behavior, violations of applicable rules, or failure to adhere to the ethical standards of responsible vulnerability disclosure.

Payouts

25.1. Bounties are paid via PayPal by default. Researchers are responsible for managing their PayPal accounts, complying with all local tax obligations.

25.2. If a PayPal account is blocked, restricted, or frozen due to sanctions, Patchstack will attempt to complete payment within three months. After three months, unpaid bounties are returned to the bounty pool.

25.3. For bounties of $500 or higher we offer two more payment options:

• Bank transfer payments
• Cryptocurrency payments (Bitcoin or Ethereum) are processed using the exchange rate available at the time of payment. Patchstack is not responsible for any decrease in cryptocurrency value. By choosing this payout method, you acknowledge and accept all associated risks.

25.4. Invoice is mandatory despite the payment method, PayPal has its own integrated invoicing engine, for other payments you need to generate invoices on your own. All payments require an invoice. Payments are not processed without one.

25.5. Invoices must include:

• Full name
• Country and address
• Addressed to: Patchstack OÜ
• Payment purpose:
  “Security research (your name or nickname used in the program)”

25.6. Payments are processed 30 days after final results are announced.

25.7. Additional payment guidance:
https://www.notion.so/patchstack/Patchstack-Alliance-payments-b6d63c55099e4f65b842bc5ce60de2d7

Communication

26.1. Official updates are shared via:

• Discord: https://discord.gg/rkE8yxtNmS
• X (Twitter): https://twitter.com/patchstackapp
• Facebook: https://www.facebook.com/patchstackapp
• LinkedIn: https://www.linkedin.com/company/patchstack/

26.2. Support is available via Discord support tickets on #support channel.

26.3. Edge case or sensitive matter of question - [email protected]

The post Patchstack Bug Bounty Guidelines & Rules (2026 edition) appeared first on Patchstack.

Like many other brands or businesses we also have an online community for our users to talk, ask questions, and discuss security and Patchstack related matters. With the Facebook community, it's easier for us to be closer to our community and get more valuable feedback from those who matter.

What is a community?

In its simplest form, a community is a group of people who share a common interest. An online community formed around a particular business consists of customers, both existing and potential, who are interested in the product or service that is offered.

Why did we create a website security community?

We try to be flexible as we grow and improve our product. As the way to growth, we need to constantly improve our services.

To be able to improve the services so that people will benefit from it we need a community of people who value security, who use the product and can see what kind of features would they need to make the everyday life easier, safer and more organized.

To speak to our users we made a Facebook community to build closer relationships with our users, to share the values, share the knowledge and expertise.

Since 97% of adults, aged 16 to 64 have at least one account in some social platform, we believe it’s the best way to deliver new information fast and make it easily reachable for everyone.

We love to talk to our customers because they are the ones that we built Patchstack for. To engage, listen and act the way our customers would prefer the product to grow is one of the most important parts of our business.

Website Security Community by Patchstack on Facebook

The website security community by Patchstack is meant for more general discussions and information sharing. It’s a place for discussions about different related topics and to meet others who also value security and want to help us make to world more secure one website at a time.

Keep in mind that Patchstack Facebook community has not been made to give technical support from the Patchstack team. If you need support or any help with Patchstack services you should contact us directly on live support on our website.

Before you join the Facebook community please take a look at the group guidelines here: Patchstack Community Guidelines

Join website security community by Patchstack

Other important links:

Patchstack vulnerability database

WordPress vulnerability news

Patchstack support and documentation

The post Website Security Community Of Patchstack appeared first on Patchstack.