I will argue hackers are immune to patches submitted via bug bounty programs.
It discourages script kiddies and botnet scanners hammering an origin, but application-level vulnerabilities are rarely the cause of an
entire system being rooted, as it was with Epik.
As jonh said, it is a matter of competent engineers and security experts.
Btw, thanks Rob for offering me a bounty, which I won't take. Unless you start taking security seriously by announcing you have
rebuild your entire codebase, and are not relying on "
remote PHP developers" to power Epik, I honestly think you are doomed.
Apologize to their customers, transfer them to a different company, shut down completely, and rebuild. Or just shut down.
There are no other options for them.
That is my professional opinion.
Kirt gave you an honest advise, listen to the part "rebuild". A broken technology is a broken technology, no patch and no team will fix it.
This stuff means Epik is persisting in using remote PHP devs, Zend cannot be patched, but well time will tell if your technical debt is really irreversible.
PHP, Wordpress, alright. That's not how you play the game, that's why you are losing.