<aside> ℹ️ The last time rules were updated was 2023-05-29 at 14:09:35 (UTC), the latest edits are marked with a yellow background.

</aside>

Short version

• Everyone can submit vulnerability reports to the Patchstack Alliance if they follow Patchstack Alliance rules.
• For now, we accept only reports for components of the WordPress ecosystem (WordPress core, free or premium plugins, and themes).
• Reports must result in a CVSS (version 3.1) base score of 2.0 or higher. They must not have any unusual, unrealistic, or vulnerability-chaining prerequisites that make exploitation difficult except for cases when two vulnerabilities are reported, and one is possible due to the presence of another one.
• Everyone has a chance to get a bounty for their research. We have an open competition with a monthly bounty pool for each month which will be distributed to the best-performing members.
• We will assign a CVE ID to all reports that meet Mitre / CVE requirements.

<aside> ⚠️ There are more conditions. See all rules. These rules are subject to change. We'll inform you about the changes in the Patchstack website and the official Patchstack Alliance Discord forum. For more information - darius.sveikauskas@patchstack.com

</aside>

Long version

1. Vulnerabilities and report submission
2. Competition, prize pool, and bounties
3. Membership
4. What Patchstack offers