When it comes to the response from the security industry to the exploitation of a vulnerability in the WordPress plugin WP GDPR Compliance things keep getting worse. You would think that telling people to update the plugin after it was already widely exploited instead telling them truth they should be keeping their plugins up to date at all times (which would lessen the need for their services) or lying and telling people that your service covered them when it didn’t, would be bad enough. But while looking into something related to another possibility vulnerability that had been in that plugin we came across as post from the CEO, Claudio Salazar, of a security company we had not heard of before, Alertot, who claimed this about the other serious vulnerability that definitely had had been in the plugin:
We have been monitoring this plugin for some months because we discovered a serialization bug around May and added it to our private vulnerability database at alertot.
He could be lying about that, but assuming that he isn’t, he makes no claim of trying to notify the developer of the issue, so it would seem that this company left people open to be hacked and now is trying to market themselves off of that, which is awful, but unfortunately par for the course in the security industry.
Making this worse, the government of Chile has provided them with funding. It would be great if governments were working to improve security instead of working against it by doing things like helping unethical security companies like this.