Skip to content
Patchstack Docs

How is a vulnerability processed?

Patchstack offers a managed vulnerability disclosure program for software owners who prioritize offering secure software to their customers. This program makes communication between researchers and software owners easy and efficient.

Read below, how Patchstack processes vulnerabilities:

For software listed in Patchstack VDP program

  1. Vulnerability found - Security researcher finds a vulnerability in your software
  2. Reporting to Patchstack - Researcher reports the vulnerability via your VDP form
  3. Validating the report - Patchstack validates the reported vulnerability
  4. You are notified - You’ll receive an email about a vulnerability found in your software. You can log into the mVDP platform to review all the details
  5. Upload your fix - You can upload the patched version on the mVDP platform
  6. Software release - Once the patch has been validated by Patchstack, you can release this new version to the public
  7. Patchstack marks as fixed - Once the new version of the software is released with the vulnerability patched, Patchstack will mark it as fixed in the vulnerability database

For software not listed in Patchstack VDP program

  1. Vulnerability found - Security researcher finds a vulnerability in your software
  2. Reporting to Patchstack - Researcher reports the vulnerability to Patchstack
  3. Validating the report - Patchstack validates the reported vulnerability
  4. You are contacted - Patchstack’s triage team attempts to contact you via contact details on your website, or in your software files, with details and tips on how to fix this vulnerability. If we don’t get a response within a reasonable timeframe, we may publish the vulnerability within 7 days
  5. Upload your fix - You can send the patched version of your software back to our triage team via email, to hand it over for patch validation
  6. Software release - Once the patch has been validated by Patchstack, you can release this new version to the public
  7. Patchstack marks as fixed - Once the software with patched vulnerability is released, Patchstack marks it as fixed in the database