This protocol outlines how security researchers, customers, partners, and any individuals interacting with Patchstack products can responsibly report security vulnerabilities.
Scope
This responsible disclosure program covers security vulnerabilities in:
- Patchstack website and web applications
- Patchstack WordPress plugin and any extensions or integrations developed by Patchstack for other content management systems or platforms
- Patchstack APIs and infrastructure
- Any Patchstack-owned digital assets
Note: This program applies only to Patchstack-owned systems, software products and services.
For vulnerabilities in third-party WordPress plugins covered by our Bug Bounty Program, please visit: https://patchstack.com/bug-bounty
Authorized Testing
Security testing under this policy is authorized only within the defined scope and must comply with the following conditions:
- Testing must not impact service availability, stability, or performance
- Automated scanning or high-frequency requests are not permitted without prior written approval
- Testing must not involve lateral movement, privilege escalation attempts beyond the identified vulnerability, or access to systems outside of scope
- Any activity that may degrade, disrupt, or interfere with Patchstack services is strictly prohibited
How to Report a Vulnerability
If you believe you have discovered a security vulnerability, please report it using one of the following methods:
Email (Preferred)
Vulnerability Disclosure Form
URL coming soon…
What to Include in Your Report
To ensure efficient triage and validation, reports must include:
- Clear description of the vulnerability
- Steps to reproduce the issue
- Proof of concept (PoC) or supporting evidence (screenshots, video recordings)
- Impact assessment (what an attacker can realistically achieve)
- Confirmation that the issue is reproducible on the latest production version at the time of submission
- Your contact information (optional, anonymous reports are accepted)
Reports lacking validation, reproducibility, or clear impact may be rejected.
Our Commitment
When a vulnerability is reported in good faith, Patchstack commits to:
- No legal action against compliant, good faith research
- Timely acknowledgment of received reports
- Reasonable communication throughout the remediation process
- Professional and respectful treatment of all researchers
- Public recognition, if desired, following coordinated disclosure
Safe Harbor
Security research conducted in compliance with this policy, including the Authorized Testing requirements, is considered authorized and conducted in good faith.
Such research is:
- Authorized under this policy
- Conducted in good faith
- Exempt from legal action
To qualify for Safe Harbor protections, researchers must:
- Avoid privacy violations, service disruption, and data destruction
- Access only the data strictly necessary to demonstrate the issue
- Not access, download, or exfiltrate large volumes of sensitive data
- Not modify or delete any data
- Not perform actions that could degrade system performance or availability
- Not use social engineering against Patchstack employees or customers
- Not disclose vulnerabilities publicly prior to resolution
Failure to comply with these conditions may result in loss of Safe Harbor protections.
Rewards
Patchstack may, at its sole discretion, offer rewards for valid vulnerability reports.
Reward decisions are based on:
- Severity (e.g., CVSS score)
- Report quality and clarity
- Demonstrated impact
- Affected endpoints or system
Important:
- Rewards are not guaranteed, and the size of reward is solely defined by Patchstack
- Duplicate reports are not eligible for rewards, in cases where multiple parties report the same vulnerability, only the first valid and complete submission will be considered for recognition or reward.
- Reports without validation or with low practical impact may not qualify
- Attempts to pressure, negotiate, or demand payment may result in disqualification
Coordinated Disclosure
Patchstack follows a coordinated disclosure process.
Public disclosure may occur only when:
- The vulnerability has been fully remediated
- Users are no longer at risk
- Disclosure timing and content are mutually agreed upon
- Disclosure does not introduce additional risk
Out of Scope
The following are considered out of scope and are not eligible for triage, recognition, or reward:
- Issues in third-party systems, applications, or websites not owned or operated by Patchstack
- Social engineering attacks against Patchstack employees, users, or partners
- Physical attacks against Patchstack offices, infrastructure, or data centers
- Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks
- Spam, phishing, or content-based abuse
- Reports generated solely by automated tools without manual validation or a working proof of concept
- Issues without demonstrable, reproducible impact in a realistic attack scenario
- Technical findings that represent best practice recommendations or hardening opportunities without a clear security impact (e.g., missing security headers, weak configurations)
- Self-XSS or issues that only affect the reporting user without impacting other users, data, or system integrity
- Issues requiring unrealistic, impractical, or highly unlikely user interaction to exploit
- Clickjacking or UI redressing issues without demonstrated sensitive actions or impact
- Lack of rate limiting, brute force protections, or similar controls without a demonstrated exploit scenario or impact
- Issues that require elevated privileges or roles and do not represent a realistic attack scenario
- Vulnerabilities reproducible only in non-production, outdated, or artificially modified environments
- Reports that are not reproducible on the latest production version of the affected system at the time of submission
- Reports based solely on publicly disclosed vulnerabilities without demonstrating impact on Patchstack systems
- Testing activities involving unnecessary or excessive collection, storage, or transmission of data
Response Timeline
Typical response targets:
- Initial response: within 2 business days
- Triage and validation: within 5 business days
Timelines may vary depending on report complexity and overall submission volume.
Questions
For questions regarding this policy, scope, or acceptable testing practices, please contact:
Final Note
We appreciate responsible disclosure and the role of the security community in improving the security of our systems. This policy is designed to enable effective collaboration while protecting our users, infrastructure, and services.