Ask HN: Which security vulnerability feeds should I Monitor?
I'm building a security vulnerability alerts service (details below), to use myself, and I'll make it available to others too. For server and client side (incl. Javascript) vulnerabilities, and dev/ops' operating systems and tools (e.g. IntelliJ, Chrome) vulnerabilities.
Which vulnerability feeds would you recommend that I monitor, to get to know about "all" vulnerabilities and exploits?
I've found these feeds:
1) https://nvd.nist.gov/download.cfm#RSS (a "National Vulnerability Database" feed, which I found via https://cve.mitre.org/cve/data_updates.html)
2) https://snyk.io/vuln/ (I'll need to find out / ask if their license allows my intended usage)
(then there's https://nodesecurity.io but they don't seem to have any data feed)
Is there any point in monitoring mailing lists like Bugtraq and the NVD feed mentioned above? Or are all important vulnerabilities posted in Bugtraq also included in the NVD database?
( Details: The point with this service is: """Security vulnerability alerts. For the software and services you use — instead of everything in the whole world.""" You can read more here: https://www.exploits.social/ — feedback about the idea, is welcome. Or if you happen to know that what I'm building, already exists. I know about: http://security.stackexchange.com/questions/25557/how-to-subscribe-to-information-about-new-vulnerabilities-in-selected-products — but the answers mentions either hard-to-use things and/or rather expensive things. For example, the top answer suggests subscribing to one "product" / "vendor" at a time, here: http://www.cvedetails.com/product-list.php — but the user experience at that site, isn't the best. And the 2nd answer is a commercial product, which seems expensive, because apparently I need to contact the company and ask for a quote. )
(I asked at Reddit 20 days ago, https://www.reddit.com/r/security/comments/4wun43/which_vulnerability_feeds_should_i_monitor_for_a/, and got some helpful replies, but about other things.)
Best regards, KajMagnus
8 comments
[ 3.1 ms ] story [ 31.4 ms ] threadhttps://security-tracker.debian.org/tracker/CVE-2016-4448
This gives me the impression that the NVD RSS feed, or alternatively the cve.mitre.org changelog (they contain the same vulns, I think), is an okay vuln list to monitor, and that that one alone will be enough, now initially, when getting started.
Because: The main source mentioned on the Debian tracker, seems to be cve.mitre.org. And at cve.mitre.org, there's this page: cve.mitre.org/cve/data_updates.html which recommends NVD or MITRE's own change log.
More things that came to my mind, when looking at the sources linked from the Debian tracker:
B.t.w. how kind of security-tracker.debian.org to include all those Source links :-)Ok, initially, it'll be NVD's RSS feed, or MITRE's change log, e.g.: https://cassandra.cerias.purdue.edu/CVE_changes/CVE.2016.08....
+ some other Git repositories not yet popular enough (?) to be included by MITRE, and some Javascript + Java & Scala stuff that I use.
https://anonscm.debian.org/viewvc/secure-testing/check-exter...
Not all the vulns in that advisory list get CVE numbers, so that list should be monitored in addition to CVE/NVD. And to me those JS vulns are important, for example, there was recently an XSS bug in a HTML sanitizer I'm planning to use.
(I actually went to https://nodesecurity.io/ a while ago, looking for a vulnerabilities feed, but didn't see / react-to the Advisories link at the top of the page, so I thought they didn't have any advisories list, or vuln feed.)
(The other lists seem to get CVE numbers (and will thus be included in MITRE and NVD, right). Or if they don't, they seem a bit too niche right now + I don't use them myself, so I'll skip them, for now.)
https://github.com/distributedweaknessfiling/DWF-Database
https://github.com/distributedweaknessfiling/DWF-Database/bl...
, I don't see any entry without a CVE number (except for some at the top, but they're in some 'REPLACED' status).
I'll probably skip this source, at least initially — seems a bit much work, to somehow analyze the DWF files, in order to find only a small (?) number of additional vulns.
NVD: https://nvd.nist.gov/download/nvd-rss-analyzed.xml — but initially only for software I use myself. Otherwise there'll be too many vulns. In the distant future: a web scraper that analyzes the CVEs/NVDs automatically.
nchan: https://github.com/slact/nchan/blob/master/changelog.txt (an Nginx module)
And some JS libraries: markdown-it, sanitize-html, React.js, + more. Perhaps I'll track them via https://nodesecurity.io/advisories if their terms-of-use allows this.
Play Framework. (via email list. It's a Scala web framework)
Silhouette. (via email list. It's an OpenAuth lib.)
In the future: More stuff. I'll try to remember to post an update, if I add/remove something that seems "significant". But this page will probably become read-only long before that.