Patchstack has become the world’s most prolific vulnerability coordinator, surpassing Microsoft in total CVEs (Common Vulnerabilities and Exposures) assigned, according to new data from CVE.icu, which analyzes vulnerability disclosures from the U.S. National Vulnerability Database (NVD). The Estonian cybersecurity firm now tops both all-time and year-to-date charts, overtaking legacy players like Red Hat, Oracle, and kernel.org.

The data comes from CVE.icu, an independent analysis project by Jerry Gamblin, Principal Engineer for Threat Detection & Response at Cisco. The site pulls and processes all publicly available vulnerability records from the NVD.

CEO Oliver Sild attributes the milestone to the sheer scale of the WordPress ecosystem, and the security gaps he says had long been overlooked.

“In a way, it shows the size of the WordPress plugins ecosystem,” said Sild. “You can directly connect the increase of vulnerabilities discovered and fixed in the WordPress ecosystem with the birth of the Patchstack Alliance ethical hackers community and the first ever open bug bounty program we created around WordPress.”

Patchstack’s database spans CVEs across WordPress plugins and themes distributed on WordPress.org, GitHub, Envato, and elsewhere. Today, nearly 700 plugin companies — including Elementor, WP Rocket, and YITH — have named Patchstack as their security point of contact.

“This actually means that we have visibility into even more vulnerabilities than what we assign CVEs for,” said Sild.

While Patchstack’s roots are in WordPress, the company is expanding. It already supports Joomla and Drupal, and now plans to scale coverage across the entire PHP ecosystem, including Laravel.

“Patchstack is well known for providing the fastest protection to WordPress websites against security vulnerabilities,” said Sild. “That same methodology is what we’re now expanding across the entire open source ecosystem as fast as we can.”

Patchstack’s rise also reflects the viability of scaling open-source security as a business — and outpacing peers like Wordfence and WPScan in terms of coordinated CVEs and developer adoption.

The company was recently named one of the top 100 fastest-growing startups in the DACH and CEE regions by Sifted, a Financial Times-backed publication.

“It’s showing the ambition our team has to secure the web and make open source more resilient,” said Sild.

“It [also] shows that securing open-source components — like WordPress plugins — at scale is not only possible, but a fast-growing business. Our platform aims to cover the full lifecycle: from vulnerability discovery to managed disclosure, early warnings, and real-time protection.”

Patchstack’s growth also aligns with a shifting regulatory landscape. The European Union’s upcoming Cyber Resilience Act will soon require software vendors to take greater responsibility for security — a move that could further boost demand for Patchstack’s services.

Disclaimer: Patchstack is a Community Sponsor of The Repository.