Question 1

What is the difference between VDP and mVDP?

Accepted Answer

VDP stand for Vulnerability Disclosure Program which is usually self-managed. mVDP stands for managed Vulnerability Disclosure Program. This means that Patchstack processes all the vulnerability reports for you, rejects the false ones, provides additional information if needed, and helps validate the patches before release — making it the much more comfortable option.

Question 2

How do you handle security reports?

Accepted Answer

Once we receive the report for your software, we triage it to validate it. If it is valid, we will forward all report information to you the vendor. Once you have the patched version ready, we help validate the patch so users do not receive an incomplete fix. Once the patch is released, we give users time to update the software to the safe version after which the vulnerability will be disclosed to the Patchstack Vulnerability Database and be published to the CVE ID database.

Question 3

Do I need a Vulnerability Disclosure Program just for that?

Accepted Answer

It's not just vulnerability processing. Having a VDP security program is a signal to your users that you take security seriously and your software is trustworthy. Easy reporting motivates more security researchers to look for vulnerabilities and report them via the Patchstack Bug Bounty program to help make your software better and safer. Also, it's a must when it comes to complying with the European Cyber Resilience Act which now requires all businesses in Europe to have an overview of the security state of their software.

Question 4

Is it accessible to all?

Accepted Answer

Yes, it's free for all plugin or theme developers, whether your software is free or premium. The only software components we do not accept are those custom-made, built for your needs, and not publicly shared or available to purchase. Also, we currently don't accept libraries for the mVDP program.

Question 5

Are premium plugins and themes also accepted?

Accepted Answer

Yes, premium plugins and themes are accepted in the program under the same conditions as free ones. The primary condition is that the premium software should be available for purchase publicly. Private software components are not accepted.

Question 6

What if I don't have time to fix the vulnerability?

Accepted Answer

The vulnerability will be disclosed 30 days after the report is sent to the vendor with the status "unfixed" and alerts sent to all Patchstack Vulnerability Database and partners who leverage our API. Vulnerabilities must be fixed, and there's no way to avoid disclosure as it's not related to mVDP membership. We process all possible vulnerabilities in the same way. Note that there have been a growing number instances of plugins getting closed on the WordPress repository due to unfixed security flaws. Getting your plugin reaccepted by the voluntary WordPress security team is a lot longer process than fixing the security risk.

Question 7

Do I need to fix low-priority vulnerabilities that cannot be exploited?

Accepted Answer

These are still vulnerabilities and can be used in a chained attack vector. We provide patch priority recommendations for users, but vendors must patch any vulnerability within 30 days of receiving the report. Note that there have been a growing number instances of plugins getting closed on the WordPress repository due to unfixed security flaws. Getting your plugin reaccepted by the voluntary WordPress security team is a lot longer process than fixing the security risk.

Question 8

Why are unfixed vulnerabilities being published?

Accepted Answer

Users need to know that they are using vulnerable software. The main goal is to protect users as much as possible from security incidents. Either they take action, or the vendor does. Patchstack is simply the mediator here — as security researchers could also report these finding to the CVE ID database (as they previously did) and have the right to request their findings to be published. Thirty days is more than enough to provide users a patch. Sometimes vulnerabilities can be disclosed earlier if a third party finds and discloses the same vulnerability, or we can see that the vulnerability is actively exploited.

Question 9

How does this benefit security researchers?

Accepted Answer

Patchstack incentivizes researchers through a monthly bounty pool. Researchers receive extra Alliance XP for reporting vulnerabilities in software with a mVDP. Patchstack is also a registered CNA, allowing us to claim CVE records for the researchers findings. This is valuable proof they can use to show their expertise in security on profiles they can showcase to the security community and industry.

Question 10

What are the benefits to me as a developer/vendor?

Accepted Answer

Patchstack, a leading WordPress security company, will manage your VDP. You'll receive only validated vulnerability reports and additional technical information for faster patching, and all patches will be validated before release. You'll spend fewer resources usually have to allocate for in-house VDP management.

Question 11

How much does mVDP cost?

Accepted Answer

It's free, but you can customize your mVDP program and ask to set up a bounty pool with custom scopes and rules to motivate security researchers. You can set any bounty pool for your private VDP program, but additional rules and obligations apply to ensure your private program meets industry standards.

Question 12

What do I need to activate the mVDP?

Accepted Answer

The first step is to submit your plugin or theme to the mVDP program and provide contact information for technical contacts about reports. To activate the program, your plugin/theme page or vulnerability disclosure policy should include information about the program and where to report vulnerabilities for a particular product – the VDP page we generate for each plugin or theme submitted to the mVDP program.

Question 13

Will you check my software for security issues once I join the program?

Accepted Answer

No, the primary goals of the mVDP program is to make vulnerability reporting more straightforward for researchers and to make it easier for you to process vulnerabilities. We try to motivate independent researchers to check all plugins and themes from the mVDP program by giving them extra points for their research, but this can't be compared to a full-scale code review. If you need a full code review, you can request auditing.

Question 14

How is the Patchstack Bug Bounty program related to mVDP?

Accepted Answer

We have a vast community of security researchers motivated to check plugins and themes from the mVDP program. They are awarded additional points for vulnerabilities discovered within our mVDP program. More points earn them a higher position in the monthly competition, and a higher scoreboard place means a higher bounty at the end of the month. Yes! We pay security researchers to check your free (and premium) plugins and themes.

Question 15

I don't know how to make a patch for the reported vulnerability.

Accepted Answer

It's not a problem. We provide additional technical information and an explanation of the vulnerability vector so you can understand how vulnerabilities work and how to change the code to fix them. Moreover, you can join the Patchstack Alliance community Discord server to talk with other developers and researchers and get help solving security issues with your software. You can also check out our introductional article for patching the most common vulnerabilities.

Question 16

What if I got a report from 3rd party?

Accepted Answer

We ask vendors to share those reports with us so we can validate them on our end and provide additional technical information on how to fix the issue. This is a great way to avoid duplicates and collisions in reports and the CVE database.

Question 17

How is Patchstack using the vulnerability data?

Accepted Answer

Once it is safe or if there's a need for earlier disclosure, vulnerability information is disclosed to the public Patchstack Vulnerability Database and CVE (Common Vulnerabilities and Exposures) database. Patchstack also uses this data to provide vulnerability information to our partners and to produce mitigation rules that provide instant protection for our paid users websites — reducing the exposure gap and risk until an official fix can be applied.

Question 18

Can I have multiple VDP programs?

Accepted Answer

Yes, it's possible, but we still ask for the information you're getting from other VDP programs you're using. We recommend using only one VDP program to avoid confusion and misinformation. Usually, vendors choose private VDPs for their internal systems and websites and let Patchstack manage VDPs for their plugins and themes.

Question 19

Can I add a plugin that was developed by someone else?

Accepted Answer

Suppose a particular plugin or theme doesn't belong to you, and you're not contributing officially to its development. In that case, you can't activate the mVDP program, as we require mVDP-related information to be added to the plugin or theme files/pages.

Question 20

I got a report for the same type of vulnerability but affecting different parameters. Why was it not mentioned in the first report?

Accepted Answer

When validating the reports, we do not conduct a full-scale code review and focus only on reported issues. Check all parameters/inputs on your software that can be affected by the same reported vulnerability and try to patch them immediately.

Question 21

My software is flagged as vulnerable in the version that doesn't exist. What does it mean?

Accepted Answer

It means it collides with another plugin or theme using the same slug as your plugin or theme. Having two identical slugs is impossible on the wordpress.org repository, but collisions can happen with products that are hosted on other repositories like Envato CodeCanyon/ThemeForest. It's hard to avoid collisions and false positives if the version ranges for both products are similar, especially when the vulnerable component has a higher version.

Question 22

My product is available in a free and premium version, and both share almost the same codebase. Do I need to add both to the mVDP program?

Accepted Answer

Yes, it's recommended. Several scenarios are possible, like the same vulnerability affecting both versions or a vulnerability that only exists on the free or premium version. We will ensure nothing is missed and vulnerabilities are processed as they should be.

Question 23

What happens if I ignore or reject a report?

Accepted Answer

Patchstack's triage team verifies all findings before passing them on to vendors. Depending on the severity and nature of the vulnerability, Patchstack has up to 30 days to share data with authorities and publicly disclose the report while crediting the researcher. Failing to address severe security issues can lead to plugin closures.

Comparison	mVDP by Patchstack	In-house VDP
Cost	Free	Tools and staff (security analyst)
Implementation	15 minutes	Process development takes time
Compliance	Pre-built compliance with CRA, ISO/IEC 29147, GDPR in mind	Requires expertise (compliance officer) and time to research legalities
Talent	Patchstack runs the most active open-source bug bounty program and a top-tier triage team	Security researchers are difficult to attract, motivate and manage
Threat Intelligence	Continuous 24/7 processing of incoming data, along with intelligence from third-party data sources	Additional operational burden and limited due to lack of monitoring in distributed software
Quality	Fully filtered and valid reports with commentary from the triage team	High percentage of false, incomplete and meaningless “beg bounty” reports
Vulnerability processing	Patchstack is the worlds’ largest handler of vulnerability data (CNA)	Obtaining a CNA status to disclose vulnerabilities requires resources
Disclosure and handling	Patchstack manages legal complexities and coordinates disclosure via best industry practices	Higher legal risks due to lack of expertise, and additional operational burden

Ship more secure code, faster

Take your code security to the next level and partner with the leader in open-source security

Managed VDP

Security disclosure and CRA compliance with Patchstack

What the FAQ

Start a free managed VDP and streamline vulnerability disclosure