Patchstack Now Withholding Misappropriated Information Needed to Secure Plugins in WordPress Plugin Directory From WordPress
Last week, we posted how WordPress had left a known vulnerable WordPress plugin with 100,000+ installs that is being targeted by a hacker in the WordPress Plugin Directory. The plugin continues to be in the plugin directory despite one of the Team Reps for the Plugins Team, David Perez, and the Senior Team member of the team, Samuel (Otto) Wood, being informed of that.
It turns out that there is another party partially responsible for the situation. It is a party that has already been engaged in unethical behavior and things have gotten worse now.
Responsible disclosure involves, among other things, notifying the developer of software vulnerabilities first. A number of WordPress security providers have major efforts to get vulnerabilities reported to them instead of to the developers or WordPress. The reason for that is so that they can profit off of those vulnerabilities. Beyond the ethical issue, this often leads to vulnerabilities that are not actually fixed, as these providers don’t properly vet the vulnerability claims and fixes. They then don’t provide that information to others, like ourselves, which actually fully vet things. And it causes unnecessary headaches for plugin developers.
The head of one of those providers, Patchstack’s Oliver Sild, has indirectly admitted this isn’t ethical. (Patchstack also admits to corner cutting when vetting vulnerability claims.) Now Patchstack is stating they are not providing WordPress itself with the information as well. Here is the response from Patchstakck’s Darius Sveikauskas, when asked about reporting the vulnerability in the plugin mentioned above to the Plugins team:
@jdembowski , at this time, we have discontinued sharing vulnerability details with the plugins and themes teams. This decision was made due to previous instances where the plugins team made overly intrusive requests for sensitive information without clearly disclosing who was requesting the data or for what purpose, despite claiming to act on behalf of the plugins team. There is zero transparency about both of those teams and how the data is used, stored, and who has access to it.
It’s essential to clarify that vendors are ultimately responsible for their plugins and themes, and the plugin/theme teams should be considered external parties, not legal stakeholders. Additionally, there is no non-disclosure agreement (NDA) or formal confidentiality agreement between us and these teams.
From a compliance and legal standpoint, particularly under the EU Cyber Resilience Act (CRA), we must consider the risk of significant penalties. Are those teams prepared to accept legal liability for the products in question, including any potential fines for non-compliance with relevant regulations?
We recently began asking the plugins team to reach out to vendors, requesting that they add or update their security contact information in plugin metadata to enable responsible vulnerability disclosure. Instead of facilitating this, we are receiving responses requesting complete vulnerability reports, which is not the intended purpose of our request.
We cannot responsibly share sensitive vulnerability information under these conditions.
The whole thing is crazy. Patchstack is trying to get vulnerability reports directed away from developers to an external party, themselves, and then claiming that WordPress having the same information is somehow problematic, if not illegal. They clearly are not interested in responsible vulnerability disclosure considering they have a massive effort to get in the way of that. They are also lying about the EU’s CRA again.
In a follow up comment from the same Patchstack employee, they put forward their business model of trying to profit off information on vulnerabilities in WordPress plugins being redirected to them as an altruistic action (the number of identified vulnerabilities is widely off):
I really don’t have time for discussions like this. I mean, I could spend this time in a much more productive way – bringing greater value to the community. Just for your information: Patchstack has identified over 11,000 vulnerabilities in the WordPress ecosystem, and it cost those affected vendors nothing – $0. However, we spend $250,000+ just on bounties to reach that result and motivate independent researchers. So next time, before questioning our business model, please check the facts and consider the value we’ve delivered to the community.
Lack of Coverage
This is a serious issue, and yet it hasn’t received any coverage. In fact, just a week ago The Repository, which is run by a content marketer Rae Morey, misleadingly claiming to be a journalist ran a story promoting Patchstack’s redirection of vulnerability reports away from developers as if it is a positive. In line with them being a content marketer, Patchstack is one The Repository’s advertisers. Which was disclosed at the end of the story, misleadingly as them being a “Community Sponsor.” We left a comment on the story about it being misleading as to what is going on and Rae Morey again pushing Patchstack’s misrepresentation of the EU’s CRA. The comment wasn’t approved. (That isn’t surprising since the website is a content marketing project disguised as a journalistic outlet.) We left a reply on Bluesky asking if they were going to cover this situation, with no response so far.