[halite]

Hi, we're currently looking for such tool. Here are some questions that would be helpful for us:

How do you manage vulnerabilities database?

Do you've a list of OSS that this tool covers? Does it integrate with existing scanning tools like Nexpose (http://www.rapid7.com/products/nexpose/).

Can it scan code repositories?

What information does it capture from the machine? Where is the data center located?

What do you anticipate the bandwidth consumption would be like for this tool?

Any volume discounts?

edit: formatting.

[dchanm]

Hi halite!

1. We've got agents listening to incoming feeds, and did the work to ingest all the historical vulnerability data we could find.

2. We're focusing on apt installed packages for our initial release.

3 & 4. We haven't built out plugin support for scanning repos and ingesting from other tools. We're looking to get as much info as we can about what data you have to feed into us :), so we can figure out what'll work best!

5. The only machine metadata we're currently using is: hostname (this can be changed by setting the FRIENDLY_NAME environment variable), Operating System, Operating System Version, the tracking UUID for a package. The package data is: package and package version. We're aiming to keep the minimal subset of information we need to provide notifications :).

5. We're using Digital Ocean for our hosting (those guys rock!). Hosts are currently only in SF.

6. Our larger machine package sets are around 200-300kb.

7. How much volume?

[mmaunder]

Since you're only doing apt installed packages, couldn't you just mail yourself a list of ubuntu security updates for a machine using apt and have the same result?

[dchanm]

Hi mmaunder, e-mail notifications are our current callback mechanism but that will expand. The goal of our API is to allow you to consume the vulnerability data in a way that is more beneficial to you e.g Slack, CI. You could have a workflow where a new build is spun up on callback, packages updated, tests run and deployed

Apt is our starting point but we will expand into things like libraries and Ruby gems.

[halite]

> 7. How much volume?

I think what I'm more interested in understanding is how is license enforced? Our team is responsible for facilitation of pilots and this I can see useful for those machine but these come and go every few months.

[Shamiq]

Sure thing! The service pivots around machines as it's core pilar. On a more fundamental level, we consider a machine to be the set of unique packages tracked together. So for your case, you'd spin up a pilot, run the script, then post the data to us. Since it's a new machine, we'll issue it a UUID, and track billing against that UUID. If you change the packages on a machine? That's a-okay! We'll use the same UUID, and bill accordingly :). When it's time to sunset a machine, use our soon to be released API to remove it, and billing stops!

To be totally honest, we're still working out all the wrinkles of how billing would work, what's fair to users, and how to track your usage, so feedback is greatly appreciated!

[Shamiq]

Halite, feel free to ping me about the volume pricing! shamiq@patchworksecurity.com