When it comes to the WordPress plugin vulnerabilities included in our data set, many of those being added come from information we have collected on our own. That includes many vulnerabilities that we have discovered as we all an increasing number where it has been noted that a security related issue has been fixed plugin, but no report detailing the vulnerability hasn’t been released. For vulnerabilities that are discovered and disclosed by others we don’t just copy their data, we spend a fair amount of time checking over the vulnerability to make sure we are properly labeling the vulnerability, correctly identifying the vulnerable versions (or if the vulnerability even exists), and determining the likelihood that it would be exploited. We also often take additional action, including working with the developer of the plugin to get the vulnerability fixed.

There are plenty of other data providers that simply collect others people data and sell access to it, without providing anything back. Not too long ago we found one those providers, Vigil@nce (vigilance.fr), was taking it even further by wholesale copying at least some of our reports on to their website. That seems to be a pretty clear case of copyright infringement and looks to probably be of a much larger scale than just our reports. [Read more]