“`html

Patchstack Launches Managed Vulnerability Disclosure Program for WordPress Plugin Developers

WordPress powers more than 40 percent of all websites on the internet, making it one of the most widely used content management systems in the world. With that level of adoption comes significant responsibility, especially for the developers who build and maintain the plugins that extend WordPress functionality. Security vulnerabilities in plugins can expose millions of websites to attacks, data breaches, and downtime. To help plugin developers stay ahead of these risks, Patchstack has launched a new managed Vulnerability Disclosure Program platform, commonly referred to as the mVDP, designed specifically for the WordPress plugin ecosystem.

This new platform represents a major step forward in how plugin vendors can approach security. By combining human security review with AI-powered code scanning, Patchstack is giving developers the tools they need to find and fix vulnerabilities earlier in the development cycle, before those issues can be exploited in the wild. In this article, we break down everything you need to know about the Patchstack mVDP, its features, pricing, and why it matters for the future of WordPress security.

What Is a Managed Vulnerability Disclosure Program?

A Vulnerability Disclosure Program, or VDP, is a structured process that allows security researchers to report vulnerabilities they discover in a piece of software directly to the vendor in a responsible and coordinated way. Without a formal program in place, researchers may not know how to report issues, or they may turn to public forums, which can expose users to risk before a fix is available.

A managed VDP takes this concept further by providing the infrastructure, tooling, and coordination needed to run the program effectively. For small plugin development teams that lack dedicated security staff, managing incoming vulnerability reports, communicating with researchers, triaging issues, and deploying patches can quickly become overwhelming. That is exactly the problem Patchstack is solving with its new mVDP platform.

By handling the operational complexity of running a disclosure program, Patchstack allows plugin developers to focus on what they do best – building features and improving their products – while still maintaining a high standard of security responsiveness.

Two Tiers to Meet Different Needs

Patchstack has structured its new offering into two security tiers, making it accessible to a wide range of plugin vendors regardless of budget or team size.

The Free Tier

The free option gives plugin developers access to the core vulnerability disclosure program infrastructure. This tier is ideal for independent developers or small teams who want to establish a formal channel for receiving security reports without committing to a monthly subscription. Having even a basic VDP in place signals to the security research community and to end users that the developer takes security seriously.

The Paid Security Suite

For developers who want a more comprehensive solution, Patchstack offers the Security Suite at a cost of 70 dollars per month. This tier is packed with features designed to accelerate vulnerability discovery, improve researcher relationships, and provide deeper code-level insights.

The Security Suite includes the following key features:

• 40 dollars of AI tokens per month – These tokens are used for automated code security reviews powered by Patchstack’s AI scanning engine, allowing developers to run detailed analysis of their codebase on a regular basis.
• Team management for up to 5 seats – Security is a team effort, and this feature allows up to five team members to collaborate within the platform, assigning roles and managing incoming reports together.
• Discussion board for researcher communication – One of the most valuable features of the Security Suite is a dedicated discussion board that enables direct, real-time communication between plugin developers and the security researchers who report vulnerabilities. This speeds up triage, reduces misunderstandings, and leads to faster fixes.
• AI code review combined with human research – The Security Suite does not rely on automation alone. It pairs the efficiency of AI scanning with the nuanced judgment of experienced human security researchers, creating a more thorough and reliable review process.

How the AI Code Scanning Feature Works

One of the standout elements of the Patchstack mVDP platform is its AI-powered code scanning tool. This feature is currently in beta and is built specifically to identify WordPress-specific security issues within a plugin’s codebase.

Unlike generic static analysis tools that may flag false positives or miss context-specific vulnerabilities, Patchstack’s AI scanner is trained on the WordPress ecosystem. It understands how WordPress hooks, filters, nonces, user roles, and database queries work, which means it can identify vulnerabilities that a general-purpose scanner might overlook entirely.

When a developer submits their code for review, the AI tool scans the entire codebase and surfaces potential issues along with suggested improvements. This gives developers actionable guidance rather than a long list of vague warnings. Common vulnerability classes in WordPress plugins – such as cross-site scripting, SQL injection, insecure direct object references, and broken access control – are among the types of issues the scanner is designed to detect.

Because the feature is still in beta, developers who adopt it early have the opportunity to provide feedback and shape its development. Early adopters also gain a competitive advantage by having access to cutting-edge security tooling before it becomes widely available.

Boosted Visibility in the Patchstack Alliance Community

Beyond the technical features, the Security Suite also provides participating plugins with boosted visibility within the Patchstack Alliance community. The Patchstack Alliance is a network of security researchers who focus specifically on finding and responsibly disclosing vulnerabilities in WordPress plugins and themes.

When a plugin has higher visibility within this community, it is more likely to attract the attention of skilled researchers who are actively looking for security issues to report. This creates a positive feedback loop – more reports mean more identified vulnerabilities, which means faster fixes and a more secure product for end users.

For plugin developers, being active in the Patchstack Alliance community also builds credibility. Users who see that a plugin is part of a formal security program are more likely to trust it with their websites, which can translate directly into higher adoption rates and stronger user retention.

Why This Matters for WordPress Security

The WordPress plugin ecosystem is enormous, with tens of thousands of plugins available in the official repository alone. Not all of these plugins are maintained by large teams with dedicated security resources. Many are built and maintained by solo developers or small businesses who have limited time and budgets.

Historically, this has created a security gap. Vulnerabilities go unreported or unfixed for extended periods simply because developers do not have the infrastructure to receive and act on reports efficiently. The Patchstack mVDP platform is a direct response to this gap.

By lowering the barrier to running a professional vulnerability disclosure program, Patchstack is helping raise the overall security baseline of the WordPress ecosystem. When more plugins have formal security processes in place, fewer vulnerabilities go unaddressed, and the entire ecosystem becomes safer for the millions of website owners who depend on it.

Getting Started with Patchstack mVDP

Plugin developers who want to take advantage of the new Patchstack mVDP platform can sign up directly through the Patchstack website. The free tier is available immediately with no credit card required, making it easy to get started without any financial commitment.

For teams that are ready to invest in a more comprehensive security program, the Security Suite at 70 dollars per month offers strong value when you consider the cost of a single security incident – in terms of lost user trust, negative reviews, and emergency development work – compared to the ongoing cost of proactive protection.

Developers who are currently managing ad hoc vulnerability reports through email or support forums should consider upgrading to a structured platform sooner rather than later. A formal process not only improves security outcomes but also demonstrates professionalism and a commitment to the community.

Final Thoughts

Patchstack’s launch of the managed Vulnerability Disclosure Program platform for WordPress plugin developers is a significant development for the broader WordPress security landscape. By combining AI code scanning, human security research, and structured researcher communication tools into a single accessible platform, Patchstack is making it easier than ever for plugin vendors to build and maintain secure software.

Whether you are an independent developer maintaining a single plugin or part of a team managing a portfolio of commercial WordPress products, the Patchstack mVDP offers a practical and affordable way to strengthen your security posture, build user trust, and contribute to a safer WordPress ecosystem for everyone.

“`

Want to learn how automation can benefit your business?
Contact Unify Node today to find out how we can help.