How do you differ from other suppliers?
The differentiating element is that we are component-centric and not vulnerability-centric.
This means that our base is the core, plugin or theme, with its versions and history, and we assign each vulnerability to each of them, regardless of where the information comes from.
This makes that, for example, a plugin contains all the vulnerability information, centralized, which will give you a better view of how it has evolved.
In cases where the information is focused on one vulnerability, it may be the case that one affects many components, and therefore you have to find out whether it really affects you or not.
How do you use the different data sources?
Different data sources sometimes vary the information on the same vulnerability. In our case, we take the most restrictive information and link to the different sources where the vulnerability is reported.
We use, as a reference, their link (which is the basis of the Internet, linking), the title and the description, just like search engines do.
We use the information as right to quote, considering the security and technical value that this implies.
Do you have any kind of statistics?
No. We do not track any query, and also we want to avoid doing rankings or tops or similar to respect the work or developers. A plugin / theme with numerous vulnerabilities doesn’t mean it’s insecure. Probably is more secure than others because it’s been tested more than others.
When do you update the API?
Every day (at least, we try to update as fast as we can). This is a free project, so we can add hours based on free time and donations. If you want to see some improvements, please help us with the project.
Is there an index with all the vulnerabilities or components?
No. If you have a list of plugins, you can ask for the information, one-by-one, but we do not have a list with all the core versions, plugins, or themes affected. We can do it, we simply don’t want to do that.