

Ask HN: Service that sends 0-day security bulletins only for software we use? - neotux

Staying up to date with vulnerabilities is proving to be a difficult task.  Not all software has security mailing lists, and some do not even have forums or any discussion thread thereof.  Lastly, operating system package updates are not always fast enough to protect against targeted attacks.<p>Is there any service that will keep track of the vulnerabilities of all popular software and will only tell us about the software we care about so that we can patch the software the instant a vulnerability becomes public?<p>If not, can you make one tptacek?<p>Thanks in advance,
neotux
======
lawnchair_larry
Securityfocus used to do this. Symantec bought them, and I'm not sure if they
continue to offer the service, but they still create BIDs, so I'd assume so.
Subscribers got an interface that let them choose what software/versions they
care about, and they would get alerts based on that. I think Secunia either
has or had a similar service.

A few more are mentioned in this article from 2005. I'm not sure how many are
still up and running. It seems like a few businesses attempted this but it
didn't work out well. Oddly, people were excited about this ~8 years ago and
most companies got acquired and it seems like it died out.

[https://webcache.googleusercontent.com/search?q=cache:MVkOyW...](https://webcache.googleusercontent.com/search?q=cache:MVkOyWa_VXwJ:www.networkworld.com/reviews/2005/012405revvuln.html+&cd=2&hl=en&ct=clnk&gl=us&client=ubuntu)

------
Hrundi
Would you consider paying, say, 2 or 3 dollars a month for a service that
attempts to aggregate and curate almost all the 0 day mentions it can,
alerting you when a particular keyword matches? Something like a targeted
Google Alert?

I presume obscure pieces of software should be dealt with in a case-by-case
basis. There must be a service that does this, I can't find any at the moment.

If you're allowed to say, how rare is the software you want to track?

This has piqued my interest because I've been in the same situation and it
became a hassle to manage many mailing lists. My solution never went beyond a
few mail filters.

Nowadays, Google Alert helps quite a bit but it is hard to keep the noise out.

I'm certainly no tptacek, but I'd be most willing to give it a shot!

~~~
bmelton
Honestly, I think you'd get better traction making it something like $40+ a
month, or alternately, allowing for company usage where there is one account
with multiple email recipients, and charging $2-3 per recipient, plus a fixed
fee for the account.

------
nreece
SecurityFocus maintains a list of vulnerabilities at
<http://www.securityfocus.com/vulnerabilities>

You can use Feedity (our startup - <http://feedity.com>) to create RSS feeds
(and even merge multiple feeds into a stream, per software in your case) for
the vulnerabilities list.

------
pasbesoin
The Windows world has Secunia's Personal Software Inspector (PSI).

<http://secunia.com/vulnerability_scanning/personal/>

I can't really speak to it, personally. I tried it on one machine, some time
ago, but I was leery of using it more widely including but not only for the
reason of having yet one more thing scanning and bogging down the system
drive.

The security-oriented press seemed, on balance, favorable towards the product.

------
hk_kh
It would be interesting if that solution included a program that analyzes your
machines installed software, and notified you on 0 days about the exact
software-version you have.

Later, on the site, you would have your machines listed, with the software on
these machines, and receive alerts per machine.

