The WordPress community is in a heated debate after Patchstack, a prominent security company, was denied sponsorship for WordCamp Europe 2025.
The rejection has raised questions about contribution requirements and transparency in the WordPress ecosystem.
Oliver Sild, Patchstack’s CEO, received an unexpected email from WordCamp Central explaining that his company hadn’t contributed enough to WordPress Five for the Future to qualify as a sponsor. The decision particularly stings given Patchstack’s substantial role in WordPress security – they handled over 50% of all new vulnerability disclosures in the ecosystem last year alone.
The email shared by Patchstack CEO:
Felipe Santos from the WordPress Community Team informed Sild that WordCamp sponsorships are moving away from the first-come-first-serve model to emphasize “contributions and relationships” with WordPress. The email suggested Patchstack pledge to Five for the Future (5ftF), an initiative encouraging companies to contribute 5% of their resources to WordPress.
However, here’s where things get murky: neither WordCamp sponsorship rules nor WordCamp Europe 2025’s sponsor guidelines mention 5ftF pledges as a requirement. The only stated expectation is that sponsors support WordPress and its principles.
He also wrote in X: “There’s a lot more to list here, but I don’t think it’s necessary to make a point. I just find this very disappointing after a decade of working with WordPress and incredibly demotivating for our entire team who has been pouring their hearts into this mission…”
The numbers back up his frustration. In 2024, Patchstack:
– Managed 4,566 individual vulnerability disclosures
– Paid nearly $200,000 in bounties to security researchers
– Launched a free Vulnerability Disclosure Program platform for plugin developers
– Recently awarded the highest bounty in WordPress history ($14,400) for a critical vulnerability discovery
The community has rallied behind Patchstack, with many prominent figures expressing concern about the decision. Francesca Marano, Patchstack’s Head of Partnerships and former community team member, pointed out issues with transparency and reliance on potentially unreliable Five for the Future data.
WordPress co-founder Matt Mullenweg has acknowledged the situation in X, calling the rejection email “crappy” and promising to investigate.
This comes at an interesting time, as debates about contribution requirements have intensified following Mullenweg’s recent criticism of WP Engine’s WordPress contributions compared to Automattic’s.
The controversy raises broader questions about how the WordPress community measures and values different types of contributions. Should security work carry the same weight as code contributions? How transparent should sponsorship requirements be? As the community awaits further clarification from WordCamp Central, these questions remain at the forefront of the discussion.
—
WPMore is your weekly digest of WordPress news, controversies, and community insights. Have feedback or tips? Reply to this newsletter.
Leave a Reply