Printed 2017/08/20 11:03PM

Getting Security Vulnerability Information


Staying abreast of security vulnerability alerts can be a daunting task because there are so many each day. One source I use is Secunia. I'm subscribed to the free mailing list and it provides valuable information each and every day. When shut its doors (it's back, by the way, and thankfully so), one of my friends on Twitter asked where he could get vulnerability announcements and I pointed him at Secunia. But Secunia is a corporate entity so that always raises the question of how reliable are they? I think this recent blog post from the folks at the Open Source Vulnerability Database answers that:

VDB Relationships (hugs and bugs)

Here's what was said about Secunia:

OSVDB uses Secunia for one of our feeds to gather information. The two guys we regularly have contact with (CE & TK) lead a bright team that does an incredible amount of work behind the scenes. In case it slipped your attention, Secunia actually validates vulnerabilities before posting them. That means they take the time to install, configure and test a wide range of software based on the word of 3l1t3hax0ry0 that slapped some script tag in software you never heard of, as well as testing enterprise-level software that costs more than OSVDB makes in five years. Behind the scenes, Secunia shares information as they can with others, and there is a good chance you will never see it. If you aren't subscribed to their service as a business, you should be. For those who asked OSVDB for years to have a 'vulnerability alerting' service; you can blame Secunia for us not doing it. They do it a lot better than we could ever hope to.

and in case you're interested what was said about milw0rm founder str0ke, it was also completely complimentary:

str0ke, that mysterious guy that somehow manages to run milw0rm in his spare time. What may appear to some as a website with user-posted content, is actually a horrible burden to maintain. Since the site's inception, str0ke has not just posted the exploits sent in, but he has taken time to sanity check every single one as best he can. What you don't see on that site are dozens (hundreds?) of exploits a month that were sent in but ended up being incorrect (or as OSVDB would label, "myth/fake"). When str0ke was overwhelmed and decided to give up the project, user demand (read: whining & complaints) lead him to change his mind and keep it going. Make sure you thank him every so often for his work and know this: milw0rm cannot be replaced as easily as you think. Not to the quality that we have seen from str0ke.

So if you want two good sources of information on security vulnerabilities, check out Secunia and Milw0rm.


Copyright © 2002-2017 Redgate. All Rights Reserved. Privacy Policy. Terms of Use. Report Abuse.