Question 1

How are the bounties paid out?

Accepted Answer

Patchstack currently supports two forms of payouts.1. Paypal. Patchstack covers all payout fees, so you receive the full amount exactly as promised. However, we are not responsible for other fees such as withdrawal or local taxes. Each researcher is responsible for administrating their local taxes related to the bounty payouts. 2. Cryptocurrency payments (Bitcoin or Ethereum). Payouts are processed using the exchange rate available at the time of transaction. Patchstack is not responsible for any decrease in cryptocurrency value. By choosing this payout method, you acknowledge and accept all associated risks.

Question 2

How is XP for the monthly competition calculated?

Accepted Answer

XP points are calculated by combining parameters like CVSS score, active installation (sales if premium) count, and prerequisite (authentication/authorization) needed to carry out an attack. No points are given if the reported component has less than 500 active installs (sales if premium) or requires an admin/super-admin role as a prerequisite. However, these reports will still receive a CVE ID for the submitter.

Question 3

What are the minimal requirements to receive monthly bounties?

Accepted Answer

Requirements for Zeroday bounties. Requirements for the monthly competition.

Question 4

Wait… bounties for finding vulnerabilities in FREE software?

Accepted Answer

Indeed, Patchstack is paying bounties for vulnerabilities even if the software vendors have no means to fund it. We finance the bounty program from our core business to give back to the community.

Question 5

How can I join Patchstack's Bug Bounty program?

Accepted Answer

Everyone can join Patchstack's Bug Bounty program as long as they are committed to making the WordPress ecosystem safer. By submitting at least one valid vulnerability report that meets Patchstack's Bug Bounty program vulnerability report submission requirements, you become a member of Patchstack's Bug Bounty program.

Question 6

What is Patchstack's Bug Bounty program?

Accepted Answer

Patchstack's Bug Bounty program is an open community of cyber security researchers, developers, pentesters, and bug bounty hunters who research and report security issues in WordPress plugins to win monthly bounties, special competitions, and seasons. Our reporting process and validation triage fast-track security patch creation for vendors, saving you time to do more research. We already have some of the best WordPress security talents on our dedicated Discord channel, and our community was the world's largest contributor of open-source vulnerability disclosures in 2023, surpassing even the GitHub community.

Installs	Subs	Unauth
15M+/Core	$16,500	🔥$33,000
5M+	$7,200	$14,400
1M+	$3,600	$7,200
500K+	$2,450	$4,900
100K+	$1,300	$2,600
50K+	$700	$1,400
10K+	$300	$600
5K+	$200	$400
1K+	$125	$250

🥇 1st	$2,000
🥈 2nd	$1,400
🥉 3rd	$800
4th	$600
5th	$500
6-10th	$400
11-15th	$200
16-19th	$100
20th	$50
Random pick	$50
Random pick outside TOP20	$50

Lvl 12	$5,000
Lvl 11	$3,500
Lvl 10	$2,500
Lvl 9	$1,700
Lvl 8	$1,337
Lvl 7	$1,000
Lvl 6	$700
Lvl 5	$500
Lvl 4	$300
Lvl 3	$200
Lvl 2	$100
Lvl 1	$50

Earn cash bounties by hunting for vulnerabilities in WordPress software

Zeroday payouts up to $33,000

Rewards

Monthly TOP20 prize pool $8,850

Rewards

Level up to unlock rewards $16,887

Rewards

Focus on research and let Patchstack handle reporting to vendors

Clear framework

Submissions overview

Public profile

How to start your researcher profile?

1

2

3

4

What the FAQ

Ready to squash some security bugs and cash those bounties?