PatchWatch Logo PATCHWATCH
Security Center

Security Advisories

Transparency and rapid response. Read about our responsible disclosure guidelines, security audits, and historical plugin patches.

1. Security Architecture

PatchWatch is designed with a strict zero-trust model to protect your WordPress server environments. We adhere to the following principles:

  • Local Data Processing: All file heuristics, query logs, and PHP execution stack inspections run natively in your server sandbox. No private keys, customer tables, or raw database credentials are ever transmitted out of your network.
  • AI Interpretation Filtering: When using our AI Explanations feature, telemetry reports are fully sanitized. Personal database fields, raw table values, and sensitive configurations are stripped out locally before logs are transmitted to the secure OpenAI/Gemini endpoints via HTTPS (TLS 1.3).
  • Remediation Verification: Before applying one-click optimizations (such as DB index additions or hook cleanups), PatchWatch creates database checkpoints so that any unexpected performance deviation can be rolled back instantly.

2. Vulnerability Reporting Policy

We welcome reports from security researchers, auditors, and users. If you discover a vulnerability in the PatchWatch WordPress plugin or SaaS platform, we request that you disclose it to us responsibly:

Reporting Instructions

Please email reports to security@patchwatch.io. Include a proof of concept (PoC), steps to reproduce, and the environment under which the issue was identified. Do not disclose the vulnerability publicly until we have released a patch.

Our Committments:

  • Triage SLA: We will acknowledge receipt and verify your report within 24 business hours.
  • Patch Cycle: Verified vulnerabilities will be patched and submitted to the WordPress.org Plugin Repository within 7 business days.
  • Credits: We publicly credit contributing security researchers in our changelogs and security advisories unless anonymity is requested.

3. External Security Integrations

To safeguard your website, PatchWatch coordinates with public vulnerability databases (including Patchstack, WPScan, NVD, and CVE lists). We automatically cross-reference your active plugins, themes, and server configs to alert you of incoming exploit attempts before they affect your front-end store.

4. Resolved Security Advisories

The following log outlines past security updates for the PatchWatch core plugin:

Advisory ID Version Severity (CVSS) Vulnerability Detail & Resolution Status
PW-2026-01 v1.0.2 Medium (5.3) Insecure Direct Object Reference (IDOR): Lack of admin capability validations in diagnostic report deletion handler. Resolved by implementing strict manage_options checks and WP nonces verification. Resolved
PW-2026-02 v1.0.0 Informational Initial Audit: Independent code assessment performed prior to WordPress.org listing. No critical vulnerabilities identified. Sanitized raw hook calls. Closed

Note: We recommend always keeping the auto-update flag turned on inside your WordPress dashboard for PatchWatch to ensure you always run the latest security patches.