Open source project will draw on community input to rapidly close down zero-days
A new open source service aims to speed up the security industry’s response to zero-days and high impact vulnerabilities.
Bug Alert, developed by security engineer Matthew Sullivan, is a free tool running on GitHub that sends subscribers early warnings of newly disclosed security flaws.
Developers, security professionals, and others can subscribe to alerts by email, text messages, or even phone calls.
Sullivan says that Bug Alert will focus on “get-out-of-bed and cancel-your-date-night types of issues”, with short and clear messages. Alerts, he says, will be “rare”, with only the most serious notices sent out.
According to Sullivan, Bug Alert was inspired by the suboptimal response to the Log4J vulnerability, which is arguably unparalleled in its attack surface and was being exploited within 24 hours of, and possibly even before, disclosure. Security teams lost valuable time between the first exploits surfacing on Twitter and the issuance of a CVE, said Sullivan.
Relying on social media for news of critical vulnerabilities or waiting for US-CERT or EU-CERT advisories gives increasingly nimble attackers too big a window of opportunity, he believes.
“If there is something that is bad enough that the New York Times is going to be writing about it, shouldn't we be literally calling people, if they want to be, waking them up, and letting them know?” Sullivan told The Daily Swig.
“Bug Alert will never replace the process of assigning CVEs or sending US-CERT notices, but the goal is certainly to be ahead of them.”
Bug Alert sends subscribers early warnings of newly disclosed critical flaws
Complementing threat intel
Sullivan, who developed Bug Alert over the holiday period from an old barn converted to Airbnb accommodation, says the plan is not to compete with commercial threat intelligence services.
“Most of the commercial offerings want to sell you not only the knowledge of the threat, but also the means of detecting or blocking the threat. Putting all of that intelligence together, and then having the confidence to report on it to your paying customers, takes time,” he explained.
“Bug Alert has a different model, where we want to be notifying you the moment it's clear there is a real threat, even if we don’t have the ability to help you understand the next steps.
“Our project’s goal is to simply get you alert and engaged. If anything, I would hope that Bug Alert is the service that lets you know to give your threat intel provider a call.”
Call for volunteers
Rather than a commercial service, Bug Alert will be open source and rely on volunteers to draft notices and review and merge (publish) them.
Sullivan hopes to build global coverage, and is particularly keen to hear from developers in Europe and Asia-Pacific, as well those who can help maintain the service. The open source model is also essential to ensuring Bug Alert is trusted, Sullivan believes.
“It’s an interesting proposition, and certainly a laudable aim,” Piers Wilson, director at the Chartered Institute of Information Security, told The Daily Swig. “The critical success factor seems to be community involvement: people trawling, or identifying, the vulnerabilities and detailing them.”
Sullivan has produced contributor guidelines for developers and security professionals interested in assisting Bug Alert.