Patchstack openly admit that they don't do basic due diligence with vulnerability reports. So often, at best, vulnerabilities are only partially fixed. They are also trying to get reports redirected away from developers to themselves. So you have an unreliable middle-man in the process as well. - ThreadSky

About ThreadSky

pluginvulns.bsky.social • 26 days ago

Patchstack openly admit that they don't do basic due diligence with vulnerability reports. So often, at best, vulnerabilities are only partially fixed.

They are also trying to get reports redirected away from developers to themselves. So you have an unreliable middle-man in the process as well.

Comments

pluginvulns.bsky.social•26 days ago

And they don't provide the information needed for others to do that vetting, making it harder for other to catch that vulnerabilities haven't been fixed properly (or sometimes at all).

pluginvulns.bsky.social•26 days ago

Developers at least portray it as if Patchstack is making sure their plugins are secure, even when they are clearly not.

pluginvulns.bsky.social•26 days ago

That claim was included in the bio of one of three team reps. The other two bios did not make that sort of inaccurate claim about a company. One just says a company is "well-known."

@10up.bsky.social's @joemcgill.bsky.social is credited with writing that post.

pluginvulns.bsky.social•26 days ago

That would be the 10up that has the WP-CLI Vulnerability Scanner, which doesn't warn people that the sources for that, WPScan, Patchstack and Wordfence Intelligence, are not reliable to level that there is widespread exploitation of unfixed vulnerabilities they claimed were fixed.

jeffpaul.com•12 days ago

👋 curious if you can help clarify the concerns with the Vuln Scanner tool and how it surfaces vulnerabilities as reported by those three providers?

pluginvulns.bsky.social•3 days ago

Sure. What are you looking for clarification on? That the tool is not warning that vulnerability claims from those providers are known to be highly inaccurate? Or that vulnerability claims from them are known to be highly inaccurate?

Posting Rules

Be respectful to others
No spam or self-promotion
Stay on topic
Follow Bluesky's terms of service

Comments

Posting Rules

Reply