
Ask HN: How to Best Stay on Top of Vulnerability Releases in Software? - etbusch
I maintain a fairly large collection of hosted web and server applications, a large portion of them running WordPress, Django, Laravel, and Drupal. I&#x27;m aware of the normal channels for tracking new releases, but what is the best way to be in the know about new security issues without spamming an email folder or twitter feed with every CVE?
======
k4ch0w
Usually there are mailing lists you can sign up for, but they can be spammy.
Organizations I have reviewed have a vulnerability scans happen every month. I
think it's a best effort kinda thing unless you have a dedicated security team
monitoring daily. The juicy bugs will usually make their way into your front
view like ShellShock, Heartbleed, Spectre, drupalgeddon etc. I'd say just by
the willingness to ask this question and stay on top of updates you should be
fine.

New vulnerabilities are discovered everyday and it doesn't even include the
ones that are never publicly disclosed.

------
twunde
1) If you're using Github, enable security alerts
([https://github.blog/2017-11-16-introducing-security-
alerts-o...](https://github.blog/2017-11-16-introducing-security-alerts-on-
github/)). This is basically looking at your package manifests and checking
for known vulnerable dependencies. Django security updates work out of the
box, I don't know if PHP is supported. For wordpress (and probably Drupal)
there are security scanners that are worth running.

------
cdnsteve
I found github sec alerts so so. Now starting to use snyk.io with better
results.

