We often find misleading to outright false information about WordPress plugin vulnerabilities coming from claimed security researchers. That frequently involves claims of non-existent vulnerabilities and, more problematically, false claims that real vulnerabilities have been fixed when they haven’t. We are now compiling information on claimed security researchers to help identify untrustworthy researcher and others trying to take advantage of the WordPress community.
If you are a WordPress plugin developer that has been approached by this less than trustworthy "researcher" or their partner (Patchstack, Wordfence, or WPScan) and are looking for help to identify if there really is an issue and what needs to be done to fix it, we offer free help.
Proper research involves providing details of claimed vulneraibilites and or a proof of concept, which allows others to understand the issue and for peer review to take place. It also involves making sure the issue is actually fixed before claimit it is fixed. Issues should not be reported to third-parties instead of the developers.