Ship more secure code, faster

VDP stand for Vulnerability Disclosure Program which is usually self-managed. mVDP stands for managed Vulnerability Disclosure Program. This means that Patchstack processes all the vulnerability reports for you, rejects the false ones, provides additional information if needed, and helps validate the patches before release — making it the much more comfortable option.

Once we receive the report for your software, we triage it to validate it. If it is valid, we will forward all report information to you the vendor. Once you have the patched version ready, we help validate the patch so users do not receive an incomplete fix. Once the patch is released, we give users time to update the software to the safe version after which the vulnerability will be disclosed to the Patchstack Vulnerability Database and be published to the CVE ID database.

It's not just vulnerability processing. Having a VDP security program is a signal to your users that you take security seriously and your software is trustworthy. Easy reporting motivates more security researchers to look for vulnerabilities and report them via the Patchstack Bug Bounty program to help make your software better and safer. Also, it's a must when it comes to complying with the European Cyber Resilience Act which now requires all businesses in Europe to have an overview of the security state of their software.

Yes, it's free for all plugin or theme developers, whether your software is free or premium. The only software components we do not accept are those custom-made, built for your needs, and not publicly shared or available to purchase. Also, we currently don't accept libraries for the mVDP program.

Yes, premium plugins and themes are accepted in the program under the same conditions as free ones. The primary condition is that the premium software should be available for purchase publicly. Private software components are not accepted.

The vulnerability will be disclosed 30 days after the report is sent to the vendor with the status "unfixed" and alerts sent to all Patchstack Vulnerability Database and partners who leverage our API. Vulnerabilities must be fixed, and there's no way to avoid disclosure as it's not related to mVDP membership. We process all possible vulnerabilities in the same way. Note that there have been a growing number instances of plugins getting closed on the WordPress repository due to unfixed security flaws. Getting your plugin reaccepted by the voluntary WordPress security team is a lot longer process than fixing the security risk.

These are still vulnerabilities and can be used in a chained attack vector. We provide patch priority recommendations for users, but vendors must patch any vulnerability within 30 days of receiving the report. Note that there have been a growing number instances of plugins getting closed on the WordPress repository due to unfixed security flaws. Getting your plugin reaccepted by the voluntary WordPress security team is a lot longer process than fixing the security risk.

Users need to know that they are using vulnerable software. The main goal is to protect users as much as possible from security incidents. Either they take action, or the vendor does. Patchstack is simply the mediator here — as security researchers could also report these finding to the CVE ID database (as they previously did) and have the right to request their findings to be published. Thirty days is more than enough to provide users a patch. Sometimes vulnerabilities can be disclosed earlier if a third party finds and discloses the same vulnerability, or we can see that the vulnerability is actively exploited.

Patchstack incentivizes researchers through a monthly bounty pool. Researchers receive extra Alliance XP for reporting vulnerabilities in software with a mVDP. Patchstack is also a registered CNA, allowing us to claim CVE records for the researchers findings. This is valuable proof they can use to show their expertise in security on profiles they can showcase to the security community and industry.

Patchstack, a leading WordPress security company, will manage your VDP. You'll receive only validated vulnerability reports and additional technical information for faster patching, and all patches will be validated before release. You'll spend fewer resources usually have to allocate for in-house VDP management.

It's free, but you can customize your mVDP program and ask to set up a bounty pool with custom scopes and rules to motivate security researchers. You can set any bounty pool for your private VDP program, but additional rules and obligations apply to ensure your private program meets industry standards.

The first step is to submit your plugin or theme to the mVDP program and provide contact information for technical contacts about reports. To activate the program, your plugin/theme page or vulnerability disclosure policy should include information about the program and where to report vulnerabilities for a particular product – the VDP page we generate for each plugin or theme submitted to the mVDP program.

No, the primary goals of the mVDP program is to make vulnerability reporting more straightforward for researchers and to make it easier for you to process vulnerabilities. We try to motivate independent researchers to check all plugins and themes from the mVDP program by giving them extra points for their research, but this can't be compared to a full-scale code review. If you need a full code review, you can request auditing.

We have a vast community of security researchers motivated to check plugins and themes from the mVDP program. They are awarded additional points for vulnerabilities discovered within our mVDP program. More points earn them a higher position in the monthly competition, and a higher scoreboard place means a higher bounty at the end of the month. Yes! We pay security researchers to check your free (and premium) plugins and themes.

It's not a problem. We provide additional technical information and an explanation of the vulnerability vector so you can understand how vulnerabilities work and how to change the code to fix them. Moreover, you can join the Patchstack Alliance community Discord server to talk with other developers and researchers and get help solving security issues with your software. You can also check out our introductional article for patching the most common vulnerabilities.

We ask vendors to share those reports with us so we can validate them on our end and provide additional technical information on how to fix the issue. This is a great way to avoid duplicates and collisions in reports and the CVE database.

Once it is safe or if there's a need for earlier disclosure, vulnerability information is disclosed to the public Patchstack Vulnerability Database and CVE (Common Vulnerabilities and Exposures) database. Patchstack also uses this data to provide vulnerability information to our partners and to produce mitigation rules that provide instant protection for our paid users websites — reducing the exposure gap and risk until an official fix can be applied.

Yes, it's possible, but we still ask for the information you're getting from other VDP programs you're using. We recommend using only one VDP program to avoid confusion and misinformation. Usually, vendors choose private VDPs for their internal systems and websites and let Patchstack manage VDPs for their plugins and themes.

Suppose a particular plugin or theme doesn't belong to you, and you're not contributing officially to its development. In that case, you can't activate the mVDP program, as we require mVDP-related information to be added to the plugin or theme files/pages.

When validating the reports, we do not conduct a full-scale code review and focus only on reported issues. Check all parameters/inputs on your software that can be affected by the same reported vulnerability and try to patch them immediately.

It means it collides with another plugin or theme using the same slug as your plugin or theme. Having two identical slugs is impossible on the wordpress.org repository, but collisions can happen with products that are hosted on other repositories like Envato CodeCanyon/ThemeForest. It's hard to avoid collisions and false positives if the version ranges for both products are similar, especially when the vulnerable component has a higher version.

Yes, it's recommended. Several scenarios are possible, like the same vulnerability affecting both versions or a vulnerability that only exists on the free or premium version. We will ensure nothing is missed and vulnerabilities are processed as they should be.

Patchstack's triage team verifies all findings before passing them on to vendors. Depending on the severity and nature of the vulnerability, Patchstack has up to 30 days to share data with authorities and publicly disclose the report while crediting the researcher. Failing to address severe security issues can lead to plugin closures.