Hacker News new | ask | show | jobs
by gruez 1546 days ago
Is there a site/service/mailing list that provides notifications for critical/RCE/in-the-wild exploit patches? Keeping every piece of software you run up-to-date takes a lot of work, and something like that would help with knowing what to prioritize.
3 comments
cors-fls 1546 days ago
Yes ! Computer Emergency Response Teams (CERT)[1] exist in most countries and publish security advisories as newsletters or RSS. e.g. CERT-EU security advisories [2]

But there are so many softwares and exploits that the signal to noise ratio is low if you are not in charge of a big IT infra.

[1] https://en.m.wikipedia.org/wiki/Computer_emergency_response_...

[2] https://cert.europa.eu/cert/newsletter/en/latest_SecurityBul...

link
gruez 1546 days ago
>[2] https://cert.europa.eu/cert/newsletter/en/latest_SecurityBul...

I took a look and my first impressions are not good.

1. like you mentioned, the signal to noise ratio is pretty bad. eg. "OpenSSL/LibreSSL Vulnerability (CERT-EU Security Advisory 2022-017)" which is a DoS exploit that consumers would likely not care about. There's also no vendor/product filter, so I get notifications about "H2 Database Console" that I don't care about.

2. It's slow/out of date. eg. "Multiple Vulnerabilities in VMware (CERT-EU Security Advisory 2022-013)" was published on February 17, 2022, but the patch was published January 15th, a month earlier.

link
CiPHPerCoder 1546 days ago
Yes, it's a firehose. I'm sure you can find a security vendor willing to offer a curated list somewhere.
link
lcall 1544 days ago
I subscribe to debian and openbsd security advisory email lists, which works for me generally to know what is going on in the space(s) I care more about:

https://lists.debian.org/debian-security-announce/ (this one covers security updates to many packages, but not as much as CVE advisories cover, windows, etc)

https://www.debian.org/security/

https://www.openbsd.org/mail.html (ctrl-f for security, but unlike the debian ones, this only covers patches to the base OS, not other packages).

But for you of course it would depend on what you run and what matters to you.

link
newman555 1546 days ago
funny enough, was asking my self the same question yesterday after 5-minute googling didn’t get me anywhere. I see a recommendation mentioned below, but as I also saw, hard to find something where you can control signal to noise ratio
link