Adding software to mVDP

Patchstack accepts all WordPress software (plugins and themes) to be added to its mVDP directory. Here’s a process of listing your first software:

Log in to mVDP platform: vdp.patchstack.com
Click the green + Start new button
Fill the form as shown below
Add a VDP disclaimer to your software readme.txt file, or security.md in GitHub

Note that if you maintain separate software for free and paid licenses, you will have to add these as completely separate entries.

Form fields

Pick if you are submitting a plugin or a theme
Pick, if it’s a free software, or is it a premium-licensed software. You can also choose Both, if you cover both plans in one software (also known as a freemium plugin)
Software name - type the name of this software. This is how it will appear in Patchstack VDP directory and in the vulnerability database
Software URL - preffered is the software repository URL. If the software is not in WordPress repository, enter any URL that takes to your software website
Product slug - type a slug that you’d like to be indentified with in Patchstack VDP listing and database entries
Software description - Write a short description, which will be shown in Patchstack VDP listing
Dependencies - Write down all the third party software that your software is dependent on
Secondary email - If you’d like to receive sensitive information about vulnerabilities to another email, you can write down your secondary email
Upload software icon - This icon will be shown in Patchstack VDP directory and in the vulnerability database
Upload source code - If your plugin is not available in public repository, you should upload the source code for us to view

Having filled up the form, click Start program

Finalizing your first software setup

After submitting the form, you’ll be taken to your added software page. This page will show all the vulnerability and reports statistics about your software in the future.

Before Patchstack can validate your software, you will have to add a VDP disclaimer to your software readme.txt or security.md file in GitHub. The disclaimer can be copied, by clicking the Copy disclaimer for… button.

If you don’t have your project present on the WordPress repository, please e-mail us for verification at triage@patchstack.com

Adding a disclaimer on different platforms

Depending on the platform you are using to host you software, you will have to add the VDP disclaimer in different places. Here are some best practices for how to do it.

WordPress repository

You should add the disclaimer to your readme.txt file. The most common place is to add it add it to FAQ section.

GitHub / Gitlab / Bitbucket

You should add the disclaimer to your security.md and the readme.md file. If you don’t have those files, you can create them in the root of your repository.

Envato Marketplace

You should add the disclaimer either to the main description of your component or add it to the support tab.

Product website

All websites are different, so there is no one-size-fits-all solution. However we recommend createing a dedicated page for security (e.g. security or report security issues) and adding the VDP disclaimer there. Next, you should link to this page from the footer of your website, so that it is easy to find.

If you have more components, you can put all the disclaimers on that page.

Example disclaimer

This is an example disclaimer, do not paste it to your software, as it includes an example link. You should copy the disclaimer straight from the mVDP platform by clicking the Copy disclaimer for… button.

= How can I report security bugs? =

You can report security bugs through the Patchstack Vulnerability Disclosure
Program. The Patchstack team help validate, triage and handle any security
vulnerabilities.
[Report a security vulnerability.](https://patchstack.com/database/vdp/your-software-slug)