When it comes to the WordPress plugin vulnerabilities included in our data set, many of those being added come from information we have collected on our own. That includes many vulnerabilities that we have discovered as we all an increasing number where it has been noted that a security related issue has been fixed plugin, but no report detailing the vulnerability hasn’t been released. For vulnerabilities that are discovered and disclosed by others we don’t just copy their data, we spend a fair amount of time checking over the vulnerability to make sure we are properly labeling the vulnerability, correctly identifying the vulnerable versions (or if the vulnerability even exists), and determining the likelihood that it would be exploited. We also often take additional action, including working with the developer of the plugin to get the vulnerability fixed.
There are plenty of other data providers that simply collect others people data and sell access to it, without providing anything back. Not too long ago we found one those providers, Vigil@nce (vigilance.fr), was taking it even further by wholesale copying at least some of our reports on to their website. That seems to be a pretty clear case of copyright infringement and looks to probably be of a much larger scale than just our reports.
After becoming aware of that, we sent them the following message about this:
We have been made aware that you have copied our copyrighted content on to your website, for example the contents of our post at https://www.pluginvulnerabilities.com/2017/03/03/vulnerability-details-remote-code-execution-vulnerability-in-opti-seo/ is located on your website at https://vigilance.fr/vulne/vul/02/2/0/2/2/vulnerability-details-remote-code-execution-vulner.html.
As this is not legal it must be my mistake; so how did this happen, when will you be removing any of our copyrighted content from your website, and how you will you insure it doesn’t happen again?
The response wasn’t what we were expecting:
Thank you for this report.
I’ll look at this matter tomorrow.
I’ll add a filter to ensure that your website cannot have a local
It should be clean in 24 hours.
This seems to indicate that this wasn’t happening by accident and it sounds like it is standard practice.
It would be one thing if they stored a copy of content privately in case a website later went down, but that isn’t the case here.
Amazingly they make the following claim on the Legal Notice page of their website:
Documents presented on this site are the property of Vigil@nce.
In the public portion of their entries they don’t provide any credit to the discoverer or link to the original source, instead linking into their own website (here is a recent addition where you can see that). By comparison we link to the original disclosure in our data and credit them in our post detail what vulnerabilities we have recently adding to our data.
What we find even more striking about this, is that at least they identify themselves as being part of the Business Services division of Orange, which is company that does billions of dollars of business:
We wonder if Orange would mind if someone started copying their content.
On their website they don’t provide any information on how much they are charging for access their data, so we can’t compare how we do on pricing, but if you are trying to keep of vulnerabilities you will get more complete data from us, as well as helping to improve the security of WordPress plugins.