Wait a minute, do you patch sites without owner permission?

Yes, we do that when the vulnerability is dangerous for the entire Internet community. Before patching we are trying to connect site owner.

wtf? Is that even physically possible?

Incidentally, free lookup says their DNS is through Yandex. I had no idea Yandex even did DNS; file under Today I Learned. (I only looked it up because “Before patching we are trying” made me wonder about their native language. I remain unenlightened.)

They are two bots used by Vulnbusters team for harvesting vulnerable sites (Meter) and for enforcing the patch for the vulnerable sites (Proton). You can see their names in User-Agent header. Meter and Proton can connect only from IP addresses belong to vulnbusters.net domain.

Haven't seen the other UA: Vulnbusters Proton (see http://vulnbusters.com for details)

As for them "patching sites" I agree, this is an impossible claim. If their bots detect a security vulnerability, all they can do is contact the server admin. Their claims otherwise are likely for marketing.

PHP has always been ridden with security vulnerabilities. Any time you can pass data from one source to another source, there's the possibility for compromise. Look at how often PHP is updated. Besides a couple flat utilities, I use PHP very little.