By Vinoth Venkatesan
High impact vulnerability notification over email, phone call, or SMS
Brand new open-source service aims to speed up the security industry’s response to high impact vulnerabilities and zero-days. Bug Alert, developed by security engineer Matthew Sullivan, is an open-source tool running on GitHub that sends subscribers early warnings of newly disclosed security flaws.
This project resulted from Sullivan’s experience around notification of Log4j vulnerability. Considering most of us first came to know about Log4j through Twitter feeds and then LunaSec put out their widely-shared blog post followed by a CVE identifier got allocated. All this took more than a day to realize the criticality of the Log4j. By then, precious time to react has been wholly lost based on the time zone you’re located.
The industry must act faster. As reported by various industry experts during the Log4j incident, attacks were already massively ramping up from the time vulnerability was disclosed on Twitter. As a security professional, this is not comforting when the bad guys have nearly a day of a head start, simply because it takes a long time to make everyone aware there is a problem in the first place.
This is where the Bug Alert comes in.
As per Sullivan, Bug Alert is not here to compete with commercial threat intelligence services. Bug Alert has a different model, where it wants to notify you the moment it’s clear there is a real threat, even if we can’t help you understand the next steps.
The alerts are triggered based on a self-registration process. Developers, security professionals, and others can subscribe to alerts by email, text messages, or even phone calls. As well, subscribers can choose the types of issues they care about (Example: ‘Operating Systems’ or ‘Software Libraries’) and how they want to be contacted for each of those types.
Sullivan indicates that Bug Alert will focus on “get-out-of-bed and cancel-your-date-night types of issues”, with short and clear messages. Alerts, he says, will be “rare”, with only the most severe notices sent out.
Being an open-source project and all engagements are entirely open to the community. Anyone in the world can submit vulnerability notices via Pull Request. Once merged, it will be posted on the website and delivered to subscribers via their preferred communication method in under 10 minutes.
The process of vulnerability disclosure, validation, and allocation of severity is all dependent on the community. As per Sullivan’s blog, he is looking for assistance from the security community to make this endeavour work. He needs a team of volunteers worldwide who can review and rapidly merge GitHub pull requests detailing new issues as they come in.
Considering Bug Alert will trigger the notifications/call only for the ‘very high severity’ or ‘critical’ vulnerabilities, I believe this is an excellent way to get notifications ahead to plan the remediation strategy for crown jewels. Bug Alert may become a trigger to call your respective threat intel provider if this works well. Let’s hope for the best and a better 2022 with fewer critical vulnerabilities.
About the Author
Vinoth Venkatesan
Vinoth is a cybersecurity professional by heart with over two decades of experience in Information Technology and Cybersecurity. He is an Australian Computer Society (ACS) Senior Certified Professional in Cybersecurity and holds various industry-leading cybersecurity credentials. Vinoth loves to write about the latest cybersecurity happenings and blockchain-related articles.