Automattic Acquires WPScan

WPScan, a WordPress vulnerability database that has existed for 10 years has been acquired by Automattic. But if you read the announcement on the Jetpack blog, it appears as though Jetpack acquired WP Scan as if it’s its own separate entity within Automattic. Is this the case? I have no idea, but in the past, it was labeled as Jetpack acquiring Social Image Generator and not Automattic. In any case, WP Scan is now owned and operated by Automattic.

If you’ve made it this far into the post, congratulations. Since its inception as a Ruby script, WPScan developed and released its security scanner which led to the development and release of its vulnerability database that many sites have come to rely on. Steve Seear, Jetpack Product Engineering Lead at Automattic, says not only have they been big fans of WPScan, but it’s also used to power Jetpack Scan.

This is important to note because one of the concerns being expressed by this acquisition is whether or not WPScan will be completely rolled into Jetpack, making it a requirement or at the very least, requiring people to pay for access to the database.

The announcement posts on both Jetpack and WPScan state that one of the goals of the acquisition is to make WPScan more open and available to the community at large.

With Automattic’s help, we will improve our existing services, release new products, and make our vulnerability data more open and accessible to the community.

WPScan Announcement

Besides creating an outstanding security offering, our goal for this acquisition is to make malware data and APIs more open source. We want to ensure that WPScan continues to be a high-quality security resource for the entire WordPress community. To that effect, we’ll be exploring ways to make the API completely free for non-commercial sites.”

Jetpack Announcement

With WPScan’s longevity, track record, and how many people throughout the community rely on its data, I think it’s imperative that access to the vulnerability database is as open as possible. In addition to acquiring the company and services, Ryan Dewhurst and Erwan Le Rousseau, Founders of WPScan will be joining Automattic as employees, most likely as part of the team that works on Jetpack Scan.

According to the Jetpack announcement, WPScan will continue to operate independently in the near term with the possibility of being fully integrated into Jetpack Scan. WPScan customers can expect to see no disruptions in service or any major changes.

Updated 11/4/2021

I asked Rob Pugh, Director of Product Marketing at Automattic, if Jetpack is its own business entity within Automattic. He responded that it’s not. He also said that as Automattic expands, they think it makes sense to let people know what part of the company the acquisition will be most closely aligned to.