Patchstack Continues to Overstate Size of Their Database Despite Dropping Claimed Size for 2021 by 35%
Last month we noted that a couple of WordPress news outlets had repeated what appear to be clearly false claims made by one of WordPress security provider Patchstack. It should go without saying that a security company that isn’t honest is a big deal. We have run across a further claim from Patchstack that disputes the previous claim they made, while still appearing to be false.
On November 5, the WP Tavern ran a story by Justin Tadlock that included this claim about the number of vulnerabilities in Patchstack’s database for this year:
When combined with security issues reported through other vendors that the company tracks, the vulnerability count jumps to over 2,000.
When we went to look into another claim being made in that story, we noticed that as of November 11, there were only 1,028 entries.
Presumably the claimed number mentioned in the story came from the founder and CEO of Patchstack, Oliver Sid, since he was the only person quoted in the story. 13 days ago, though, that same Oliver Sid, claimed on Product Hunt, that the number was only “more than 1300”:
Meanwhile, the number of new vulnerabilities found in plugins has grown from 582 (total in 2020) to more than 1300 (in 2021 so far).
So the claimed number somehow has gone down by 700, but checking things right now, there are 1,215 in the publicly available database. We get to that number by heading back in the records of PatchStack’s database, the first entries from this year on page 61. There are 20 entries per page and with 15 from this year on page 61.
What led us to looking at the total number of vulnerabilities in their database last month was another claimed number, which was the number of vulnerabilities they claimed were discovered through a bug bounty program they have:
However, issues found in 2021 have multiplied from the previous year. Patchstack Red Team, a community bug-hunting program that pays out monthly bounties, has reported 1,182 vulnerabilities from March through October. Bounty payouts have reached $9,150 thus far.
For that number to be true, almost their entire database would just consist of vulnerabilities discovered through that, but that doesn’t match up at all with what we found last month in terms of the source of vulnerabilities in their database. It also doesn’t add up with other things that you would expect to be seeing if that number were right.
Oliver Sid’s comment on Patchstack cites a lower number for that as well:
Patchstack is also running the very first WordPress-focused bug hunting platform (called Patchstack Red Team: https://patchstack.com/red-team/) that covers every WordPress plugin and theme. Patchstack Red Team members have reported over 1000 security vulnerabilities to Patchstack in 2021 alone.
So they appear to have inflated both the number of vulnerabilities in their database and the number that have been bound by their bug bounty program. The latter of those possibly necessitating the inflation of the former.
That isn’t the only area where they are not being honest. In the past month, we have noted they are not honest about verifying vulnerabilities or about promptly warning their customers of vulnerabilities.
In the comments on the WP Tavern story, someone mentioned that the bug bounty numbers didn’t add up:
have you verified that yourself? the numbers don’t to add up
The response from Justin Tadlock was to ask how they didn’t add up:
In what way do the numbers not add up? Patchstack has a public database of known vulnerabilities. If the numbers do not add up or any of the issues are false, please post your findings.
As noted in our previous post, after looking into this, we brought up how the numbers didn’t add up with Justin Tadlock, but got no response multiple times. We are going to contact him again, seeing as Patchstack itself has now has disagreed with the number presented in the story.
On Patchstack’s homepage they highlight several of their claimed customers, cPanel, Cloudways, GridPane, Pagely, and Plesk:
It doesn’t seem like they should be doing business with such a blatantly dishonest security company, so we are going to contact them to ask if they are in fact customers, and if unaware of what is going on with Patchstack or if they don’t see an issue with that (which should be an issue for customers of those companies).