
Ask HN: Which security vulnerability feeds should I Monitor? - KajMagnus
Hi,<p>I&#x27;m building a security vulnerability alerts service (details below), to use myself, and I&#x27;ll make it available to others too. For server and client side (incl. Javascript) vulnerabilities, and dev&#x2F;ops&#x27; operating systems and tools (e.g. IntelliJ, Chrome) vulnerabilities.<p>Which vulnerability feeds would you recommend that I monitor, to get to know about &quot;all&quot; vulnerabilities and exploits?<p>I&#x27;ve found these feeds:<p>1) https:&#x2F;&#x2F;nvd.nist.gov&#x2F;download.cfm#RSS (a &quot;National Vulnerability Database&quot; feed, which I found via https:&#x2F;&#x2F;cve.mitre.org&#x2F;cve&#x2F;data_updates.html)<p>2) https:&#x2F;&#x2F;snyk.io&#x2F;vuln&#x2F; (I&#x27;ll need to find out &#x2F; ask if their license allows my intended usage)<p>(then there&#x27;s https:&#x2F;&#x2F;nodesecurity.io but they don&#x27;t seem to have any data feed)<p>Is there any point in monitoring mailing lists like Bugtraq <i>and</i> the NVD feed mentioned above? Or are all important vulnerabilities posted in Bugtraq also included in the NVD database?<p><i></i>(<i></i> Details: The point with this service is: &quot;&quot;&quot;Security vulnerability alerts. For the software and services you use — instead of everything in the whole world.&quot;&quot;&quot; You can read more here: https:&#x2F;&#x2F;www.exploits.social&#x2F; — feedback about the idea, is welcome. Or if you happen to know that what I&#x27;m building, already exists. I know about: http:&#x2F;&#x2F;security.stackexchange.com&#x2F;questions&#x2F;25557&#x2F;how-to-subscribe-to-information-about-new-vulnerabilities-in-selected-products — but the answers mentions either hard-to-use things and&#x2F;or rather expensive things. For example, the top answer suggests subscribing to one &quot;product&quot; &#x2F; &quot;vendor&quot; at a time, here: http:&#x2F;&#x2F;www.cvedetails.com&#x2F;product-list.php — but the user experience at that site, isn&#x27;t the best. And the 2nd answer is a commercial product, which seems expensive, because apparently I need to contact the company and ask for a quote. <i></i>)<i></i><p>(I asked at Reddit 20 days ago, https:&#x2F;&#x2F;www.reddit.com&#x2F;r&#x2F;security&#x2F;comments&#x2F;4wun43&#x2F;which_vulnerability_feeds_should_i_monitor_for_a&#x2F;, and got some helpful replies, but about <i>other</i> things.)<p>Best regards,  
KajMagnus
======
ashitlerferad
Take a look at some of the links on this page:

[https://security-tracker.debian.org/tracker/CVE-2016-4448](https://security-
tracker.debian.org/tracker/CVE-2016-4448)

~~~
KajMagnus
Thanks!

This gives me the impression that the NVD RSS feed, or alternatively the
cve.mitre.org changelog (they contain the same vulns, I think), is an okay
vuln list to monitor, and that that one alone will be enough, now initially,
when getting started.

Because: The main source mentioned on the Debian tracker, seems to be
cve.mitre.org. And at cve.mitre.org, there's this page:
cve.mitre.org/cve/data_updates.html which recommends NVD or MITRE's own change
log.

More things that came to my mind, when looking at the sources linked from the
Debian tracker:

    
    
      - NVD: lots of details on the vulnerability. In a format that looks easy to parse for a web scraper.
      - LWN.net: There's an email about the vuln, but it seems time consuming to read it and understand what to do with it (the email).  
      - Vulnerability Notes Database (CERT): Found nothing about the vuln.  
      - Exploit Database: Nothing.  
      - Metasploit: Nothing.  
      - Red Hat / Ubuntu / Gentoo /SuSE / Mageia feels a bit too distro specific to monitor now initially.  
      - Full Disclosure & Bugtraq: Nothing, vs "too many" detailed emails, sometimes about individual product versions.
    

B.t.w. how kind of security-tracker.debian.org to include all those Source
links :-)

Ok, initially, it'll be NVD's RSS feed, or MITRE's change log, e.g.:
[https://cassandra.cerias.purdue.edu/CVE_changes/CVE.2016.08....](https://cassandra.cerias.purdue.edu/CVE_changes/CVE.2016.08.html)

\+ some other Git repositories not yet popular enough (?) to be included by
MITRE, and some Javascript + Java & Scala stuff that I use.

~~~
ashitlerferad
Some more possible sources:

[https://anonscm.debian.org/viewvc/secure-testing/check-
exter...](https://anonscm.debian.org/viewvc/secure-testing/check-
external/sources.ini?view=markup)

~~~
KajMagnus
Thanks, via that link I found:
[https://nodesecurity.io/advisories](https://nodesecurity.io/advisories) which
is what I was hoping for (for client side vulns).

Not all the vulns in that advisory list get CVE numbers, so that list should
be monitored in addition to CVE/NVD. And to me those JS vulns are important,
for example, there was recently an XSS bug in a HTML sanitizer I'm planning to
use.

(I actually went to [https://nodesecurity.io/](https://nodesecurity.io/) a
while ago, looking for a vulnerabilities feed, but didn't see / react-to the
Advisories link at the top of the page, so I thought they didn't have any
advisories list, or vuln feed.)

(The other lists seem to get CVE numbers (and will thus be included in MITRE
and NVD, right). Or if they don't, they seem a bit too niche right now + I
don't use them myself, so I'll skip them, for now.)

------
ashitlerferad
BTW, it would be great if you could post your final list of feeds here when
you are done.

~~~
KajMagnus
Ok. Currently this is what I have in mind:

NVD: [https://nvd.nist.gov/download/nvd-rss-
analyzed.xml](https://nvd.nist.gov/download/nvd-rss-analyzed.xml) — but
initially only for software I use myself. Otherwise there'll be too many
vulns. In the distant future: a web scraper that analyzes the CVEs/NVDs
automatically.

nchan:
[https://github.com/slact/nchan/blob/master/changelog.txt](https://github.com/slact/nchan/blob/master/changelog.txt)
(an Nginx module)

And some JS libraries: markdown-it, sanitize-html, React.js, + more. Perhaps
I'll track them via
[https://nodesecurity.io/advisories](https://nodesecurity.io/advisories) if
their terms-of-use allows this.

Play Framework. (via email list. It's a Scala web framework)

Silhouette. (via email list. It's an OpenAuth lib.)

In the future: More stuff. I'll try to remember to post an update, if I
add/remove something that seems "significant". But this page will probably
become read-only long before that.

