Red Team Membership
- It's an invite-only community of pentesters and bug bounty hunters. We do not offer self-made registrations to avoid fake users.
- To become a team member, you need to receive an invitation, or a potential member can be recommended by another active Red Team member.
- Recommendations are not enough. Only researchers with at least one reported (according to the reporting rules) and confirmed vulnerability could get an invitation to the Red Team.
- Each Red Team member will have its public profile page on the Red Team website. We will add all provided information and a list of vulnerabilities discovered by this team member.
- Also, we will add new members to the Patchstack Red Team dedicated Slack page.
- Communication between Patchstack and Patchstack Red Team members should be done by email at email@example.com and in the Patchstack Red Team Slack.
- Each member must provide a basic set of information about himself, like the name or nickname he would like to use as a signature under-discovered vulnerabilities. Also, contact email, short description for a brief introduction on a public profile.
- Red Team members could be asked to give interviews as we want to introduce Red Team members to the public for transparency and project promotion purposes.
- We expect common sense and abstinence from actions that may, in one way or another, damage the image of the Red Team project.
- Patchstack reserves the right to expel any member from the Red Team member list for unethical or malicious acts that may affect Patchstack and Red Team's image.
- Patchstack will disclose vulnerabilities submitted to the Patchstack Red Team in its public and free vulnerability database available - https://patchstack.com/database/. We will allow others to share this information in open sources or use it for closed projects as we don't want to limit the spread of this information.
- All vulnerabilities submitted by Red Team members must be unique and not published anywhere before to ensure Patchstack will be the first to disclose the particular vulnerability. Vulnerabilities that have been publicly disclosed in any other open sources before they are submitted to Patchstack will not count.
- The submission of vulnerabilities shall be carried out following the established procedure by providing all necessary data. Also, we accept submissions by email at firstname.lastname@example.org if it's more convenient for you.
- The Patchstack Red Team adheres to a philosophy of ethical disclosure. Therefore, disclosing a vulnerability is pending until the software manufacturer publishes a patched version and most users update it on their websites. The aim is to minimize the negative impact that disclosure of vulnerabilities can cause.
- Suppose the software manufacturer takes no action and ignores the information received. In that case, the vulnerability will be reported to the WordPress Security Team (https://developer.wordpress.org/plugins/wordpress-org/plugin-security/reporting-plugin-security-issues/).
- We will disclose vulnerabilities on behalf of the author. However, we will add "(Patchstack Red Team)" to the author's name to publicity the whole project. Also, we will include all other information provided by you (your name or nickname, your company name, and additional information that could give you and your company more publicity). Finally, if a Red Team member wants to stay incognito, we will add "Patchstack Red Team" as a researcher.
- Patchstack will help Red Team members communicate with software developers and organizations, properly prepare vulnerability information for disclosure, include vulnerabilities in the CVE database and other procedures that ensure quality and ethical disclosure of vulnerabilities.
- Make sure you provide all vulnerability details in your reports. All additional (unreported) vulnerabilities that will be discovered in the process of reported vulnerability validation or verification of patches applied by vendors will be published in the name of the Patchstack researcher who will find these unreported issues.