Patchstack has released detailed guidelines for their Bug Bounty Program, which aims to identify and address vulnerabilities in WordPress core, plugins, and themes. The guidelines specify the scope of the program, the types of vulnerabilities that are eligible for bounties, and the criteria for valid submissions. This initiative is designed to enhance the security of WordPress components distributed through recognized repositories such as WordPress.org, Envato, and GitHub.
The Bug Bounty Program focuses on vulnerabilities that have a clear and measurable security impact, with a CVSS v3.1 base score of 6.5 or higher. Eligible components must have at least 1,000 active installations, or 100+ installations if the vulnerability has a CVSS score of 8.5 or higher and can be exploited by unauthenticated users. Additionally, the component must have been released within the last three years, and the report should target the latest version available.
Several common rejection reasons are outlined, including vulnerabilities that arise from expected functionality or configurations made by high-privilege users. Reports involving vulnerabilities with high attack complexity or those that result in minor data leakage or modification are also outside the scope. Furthermore, vulnerabilities requiring unrealistic identifiers or scenarios, as well as those involving non-publicly-distributed components, are not eligible for bounties.
Submissions must consolidate multiple findings of the same vulnerability type into a single report. Vendor or developer self-submissions are accepted for disclosure but do not qualify for bounties. Reports must be complete, accurate, and verifiable, with realistic prerequisites and exploitation scenarios. Specific types of vulnerabilities, such as CSV injection, CAPTCHA bypasses, and IP spoofing, are explicitly excluded from the program.
To participate in the Bug Bounty Program, security researchers must ensure their reports meet the outlined criteria and provide sufficient evidence of the vulnerability's impact. By adhering to these guidelines, participants can contribute to improving the security of WordPress components and potentially earn bounties for their findings.
Source: https://patchstack.com/database/report