A new open source service aims to speed up the security industry’s response to zero-days and high impact vulnerabilities.
Bug Alert is a free tool running on GitHub that sends subscribers early warnings of newly disclosed security flaws. Developers, security professionals, and others can subscribe to alerts by email, text messages, or even phone calls.
Bug Alert will focus on “get-out-of-bed and cancel-your-date-night types of issues”, with short and clear messages. Alerts, he says, will be “rare”, with only the most serious notices sent out.
Bug Alert was inspired by the suboptimal response to the Log4J vulnerability, which is arguably unparalleled in its attack surface and was being exploited within 24 hours of, and possibly even before, disclosure.
Relying on social media for news of critical vulnerabilities or waiting for US-CERT or EU-CERT advisories gives increasingly nimble attackers too big a window of opportunity.
Bug Alert will never replace the process of assigning CVEs or sending US-CERT notices, but the goal is certainly to be ahead of them.
Most of the commercial offerings want to sell you not only the knowledge of the threat, but also the means of detecting or blocking the threat. Putting all of that intelligence together, and then having the confidence to report on it to your paying customers, takes time.
Bug Alert sends subscribers early warnings of newly disclosed critical flaws