Patchstack Doesn’t Know About Hundreds of Undisclosed Zero-Days
Recently, we noted that the WordPress security provider Patchstack was marketing their service with a misleading claim to be providing “early alerts and protection”, where in one instance, they were only aware of a vulnerability two weeks after it was fixed and after it had been publicly disclosed by a competitor, and in another, the “vulnerabilities” involved the attacker already having control of the website. Since then, they removed that marketing claim, but switched to another highly inaccurate claim in its place.
Zero-day vulnerabilities are serious vulnerabilities, not only because they are vulnerabilities that a hacker is exploiting, but because the developers are not aware of them when they start to be exploited, so simply keeping software up to date won’t protect you from them. Those do exist in WordPress plugins. With what appear to be a recent one, Patchstack had failed to warn about even after it was disclosed.
Patchstack’s new marketing involves them claiming to be aware of hundreds of undisclosed zero-day vulnerabilities. As of writing of this post, Patchstack is claiming to be aware of 405 of those:
That would be a very serious issue if true, but isn’t true. What they are calling zero-days are not those. If you hover over the tooltip, you find out what they are mean by zero-days are claimed vulnerabilities reported to them:
Vulnerabilities reported to us which we are still processing and will be published soon.
Considering their long track record of falsely claiming that vulnerabilities exist in plugins, they don’t even necessarily know about hundreds of undisclosed vulnerabilities, but even if they do, they are not zero-days.
If they are still processing things, then it seems like they wouldn’t be providing protection and alerts either, especially considering the alerts seem to be tied to published information, which doesn’t yet exist.