5 comments

[ 3.1 ms ] story [ 19.6 ms ] thread
Hello friends,

I'm one of the founders. Zero-days are exciting but we're especially good about the things that don't stay on the top of HN all day. Silent killers as it were.

Today we support Ruby and Ubuntu but we're expanding quickly! And if you're interested but don't have the time to try us out today, we also made http://isitvulnerable.com/ to demo what we can do.

Cheers,

So how are you finding the exploit signatures you don't know about? Is your claim that you are trying to take purchased 0day and creating a signature profile then doing a tripwire-esque agent on the machine? What is the claim here? "We protect against zero day" makes me think "how?"

If I find a way to attack a well known service that gains me access to a system and you don't know about that flaw... that's a 0day so how are you possibly going to protect against that attack?

Can you talk about the internals of your system without giving away your secret sauce? I.e., are you doing anything more than pulling CVE notifications, comparing the vuln against what the server is running, and if there's an intersection, inform the end user?

(Not to belittle your product -- patio11 made a living, and more importantly a brand, off of a Bingo Card app. Your product certainly offers value, and its particularly underpriced if you ask me. Still, I'm genuinely curious if you're doing any heuristic analyses, fuzzing, or other server-specific things to determine whether or not you're vulnerable to said exploit.)

Knowing if your application's dependencies have released security patches isn't just valuable, it's necessary. It's very painful and time consuming to monitor email lists, websites, RSS feeds, and GitHub issues for relevant information.

In my opinion, providing that information in a timely and actionable way, such as telling me when and how to update, is a useful service. When looking for a solution for Python applications I found https://requires.io/. It's a clever implementation since it reads a requirements file and is therefore easy to "deploy" and get immediately value from.

Your marketing leans towards 0-day protection. The challenge is doing anything actionable with knowledge of a new 0-day. Unless there is a patch available, which implies the discloser worked with the project/vendor, or a known workaround in lieu of official patch, how is your service doing to help?

What's your plan for supporting more operating systems, languages, and ecosystems? Are you curating information about security disclosures and software releases, or simply checking if newer versions of packages are available?