Bug Alert: a service for alerting security and IT professionals of high-impact and 0day vulnerabilities

Overview

Bug Alert

Bug Alert is a service for alerting security and IT professionals of high-impact and 0day vulnerabilities.

Hi, I'm Matthew Sullivan, a security practitioner, and the creator of Bug Alert.

When the Log4j vulnerability was first discovered, it was reported, as most are, on Twitter. 13 hours passed between the time it was disclosed on Twitter to the time LunaSec put out their widely-shared blog post, and 5 hours passed after that before I saw it up at the top of Hacker News. By then, precious time for reacting had been completely lost; it was nearly midnight in my local timezone, and all the people I needed to mobilize were already in bed.

There is no central clearinghouse for notifying security professionals about critical security issues in widely-used software. The process for issuing security bulletins from organizations like the CISA are both welcomed and well-intentioned, but by the time a CVE identifier has been issued, or a bulletin posted, it's simply too late.

Bug Alert has exactly one goal: rapid notification for serious flaws in widely-used software. This process is conducted entirely in the open, via our project on GitHub. Email/phone/SMS notification services are (obviously) not free, but my intent is to keep this effort funded by community/industry donations, if it is ever needed.

Contributions are highly encouraged! We also need a team of volunteers from around the world who can review and rapidly merge GitHub pull requests detailing new issues, as they come in. Volunteers need to be kind, level-headed individuals who are willing to engage a diverse set of people in the security community with unwavering professionalism and no ego. If that sounds like you, open a GitHub issue letting us know!

What Are Notices & Contributing Your Knowledge

Notices are the lifeblood of this service; they are the text that will explain to the community what they need to be worrying about, and why. The merging of a new notice kicks off the automated processes for alerting subscribers by phone, SMS, and email - a potentially expensive operation (telephony services aren't cheap!) that gets only one shot. Notices will generally only be merged into this project for software in widespread use (think hundreds of thousands of installs), and only if there is a large, immediate, demonstrable risk to the systems that are running the vulnerable software.

If you want to submit a notice, simply fork this repository, follow the template in content/notices/202X-MM-DD-slug.md.template to author a new notice, and make a pull request.

0day vulnerabilities will be the most commonly-reported issue for this project, but Bug Alert's notices are not exclusive to 0days. For example, when Log4j 2.15.0 was released to address a years-old issue with prior 2.X.X versions, the security community almost immediately found a vector for denial-of-service (not worthy of a Bug Alert notice). However, a day later, once the DoS issue had already been patched by 2.16.0, researchers found that the vector for DoS in 2.15.0 could also be used for remote code execution. Such a finding would be worthy of a Bug Alert notice, because 2.15.0 was likely to be in widespread use at the time the new vector for RCE was found.

Notices are required to have several fields, the most important of which are Summary, Category, and Tags. Always use the template found at content/notices/202X-MM-DD-slug.md.template to craft a notice, and refer to this README for what acceptable values for summary, category, and tags should be.

Assigning Severity

Severity levels are 'High', 'Very High', and 'Critical'. Make a best effort based on the criteria below, but please be aware that project maintainers may raise or lower your proposed severity based on their own knowledge, experience, and understanding. A new Bug Alert notice may quite literally wake someone up out of bed; our goal should be to only do that when it is truly necessary and appropriate.

High Severity

The high severity level is to be used for vulnerabilities that are extremely damaging, but only in configurations that are found less often in real-world environments, or have other migitating factors. These issues need attention, but nobody is working overnight or during the weekend to patch systems.

Example: A flaw in Adobe Reader for Windows can be utilized to install malware on a single user's system, simply by opening a malicious PDF file.

Very High Severity

The very high severity level is to be used for vulnerabilities that introduce remote code execution, privilege escalation, information disclosure/leakage, etc, where the impact may be high, but other mitigating factors are present (necessary insider knowledge required for exploit, chaining of vulnerabilities is required for successful exploit, etc). These issues need prompt attention and may require an unexpected evening maintenence window, but you can probably keep your date night plans.

Example: A flaw in Microsoft Active Directory allows any authenticated domain user on the local network to escalate their role to Domain Administrator.

Critical Severity

The critical severity level is reserved for vulnerabilities that introduce remote code execution, privilege escalation, information disclosure/leakage, and similar issues which, if exploited, will lead to massive reputational and financial damage; the types of vulnerabilities that make national news. These issues need immediate attention, and you'll be working nights and weekends until you are certain you've got everything patched up.

Example: A flaw in Django, a widely-used Python webapp framework, allows an unauthenticated attacker to run arbitrary commands on the server via the Internet and retrieve the results of those commands.

None of Those Seem To Fit?

If the issue you want to report doesn't fit the descriptions above, it may be that the issue is not of high enough impact to be served by this project. We appreciate that you took the time to consider reporting the issue to a wider audience, and will encourage you to share your knowledge on social media such as Twitter or Reddit's security-focused subreddits.

Types of vulnerabilities generally outside the scope of Bug Alert's focus are described below. Use your judgement though, and don't hestitate to submit a notice if you are confident the wider security and IT communities need to know immediately about an issue.

For example, while DoS vulnerabilities are generally out of scope, an attack that could crash-loop an nginx server in one packet would still be worthy of a notice.

Issues generally outside the scope of this project include:

  • Software not in widespread use
  • Denial of service
  • Protocol attacks (e.g. TLS cipher downgrade)
  • Attacks requiring local network access (e.g. Microsoft SMB RCEs)
  • Attacks heavily relying on user interaction (e.g. user must be tricked into downloading an executable)

Summary

Summary is the text which will be shared in notifications sent out to all subscribers. It is the most critical piece of information, and accuracy and clarity is key. For subscribers who opt to recieve phone calls, the summary will be converted to spoken word through Google's Text-to-Speech engine.

Tags

Tags should make it easy for someone to browse the bugalert.org site and find previous issues related to a specific component. Tags are a comma-separated list that should include the name of the component, the framework or runtime (if applicable), and the severity rating.

For example, a critical issue impacting the popular Java library 'Jackson Databind' should include the tags jackson-databind, Java, and Critical Severity.

Category

Category is used to segment which notices subscribers would like to receive. There are four options, and notice authors must only pick one:

Software Frameworks, Libraries, and Components

Most commonly used for open-source components.

Examples: Django, Flask, Rails, Angular, Spring Boot.

Operating Systems

For operating systems, in desktop, server, and mobile flavors.

Examples: Windows SMB, Linux Kernel, iMessage, Apple Darwin.

Services & System Applications

For services not written by the operating system vendor, core components, and language runtimes. This category can also include components primarily indended for end-users, but that are rarely installed by the average non-administrative user of a system.

Examples: openssh, Apache HTTP Server, nodejs, nginx, Java Runtime, vim, curl, Python.

End-User Applications

Applications that your average non-technical user uses regularly, often without updating, unless an automatic updating mechanism is built into the application.

Examples: Firefox, Chrome, Thunderbird, Outlook, Adobe Acrobat Reader, Spotify, Audacity, VLC, Steam, Microsoft Office.

Contributing

Pull requests are welcome and encouraged.

Run Locally

Clone this repo and cd into it: g[email protected]:BugAlertDotOrg/bugalert.git && cd bugalert

Clone the bugalert-pelican repo in as well: [email protected]:BugAlertDotOrg/bugalert-pelican.git

In a Python 3.6+ environment, install all project requirements: pip install -Ur bugalert-pelican/requirements.txt

After that, you can run a local instance with: rm -rf output && pelican --autoreload --listen -s bugalert-pelican/pelicanconf.py

Owner
BugAlert.org
BugAlert.org
Downloads SEP, Baseband and BuildManifest automatically for signed iOS version's for connected iDevice

FutureHelper Supports macOS and Windows Downloads SEP, Baseband and BuildManifest automatically for signed iOS version's (including beta firmwares) fo

Kasim Hussain 7 Jan 05, 2023
GitHub Advance Security Compliance Action

advanced-security-compliance This Action was designed to allow users to configure their Risk threshold for security issues reported by GitHub Code Sca

Mathew Payne 121 Dec 14, 2022
FTP-Exploits is a tool made in python that contains 4 diffrent types of ftp exploits that can be used in Penetration Testing.

FTP-exploits FTP-exploits is a tool which is used for Penetration Testing that can run many kinds of exploits on port 21(FTP) Commands and Exploits Ex

1 Dec 26, 2021
BF-Hash - A Python Tool to decrypt hashes by brute force

BF-Hash Herramienta para descifrar hashes por fuerza bruta Instalación git clone

5 Apr 09, 2022
A Static Analysis Tool for Detecting Security Vulnerabilities in Python Web Applications

This project is no longer maintained March 2020 Update: Please go see the amazing Pysa tutorial that should get you up to speed finding security vulne

2.1k Dec 25, 2022
This project is for finding a solution to use Security Onion Elastic data with Jupyter Notebooks.

This project is for finding a solution to use Security Onion Elastic data with Jupyter Notebooks. The goal is to successfully use this notebook project below with Security Onion for beacon detection

4 Jun 08, 2022
DNSSEQ: PowerDNS with FALCON Signature Scheme

PowerDNS-based proof-of-concept implementation of DNSSEC using the post-quantum FALCON signature scheme.

Nils Wisiol 4 Feb 03, 2022
Red Team Toolkit is an Open-Source Django Offensive Web-App which is keeping the useful offensive tools used in the red-teaming together.

RedTeam Toolkit Note: Only legal activities should be conducted with this project. Red Team Toolkit is an Open-Source Django Offensive Web-App contain

Mohammadreza Sarayloo 382 Jan 01, 2023
🍉一款基于Python-Django的多功能Web安全渗透测试工具,包含漏洞扫描,端口扫描,指纹识别,目录扫描,旁站扫描,域名扫描等功能。

Sec-Tools 项目介绍 系统简介 本项目命名为Sec-Tools,是一款基于 Python-Django 的在线多功能 Web 应用渗透测试系统,包含漏洞检测、目录识别、端口扫描、指纹识别、域名探测、旁站探测、信息泄露检测等功能。本系统通过旁站探测和域名探测功能对待检测网站进行资产收集,通过端

简简 300 Jan 07, 2023
All in One CRACKER911181's Tool. This Tool For Hacking and Pentesting.🎭

This is A Python & Bash Programming Based Termux-Tool Created By CRACKER911181. This Tool Created For Hacking and Pentesting. If You Use This Tool To Evil Purpose,The Owner Will Never be Responsible

CRACKER911181 1 Jan 10, 2022
Having a weak password is not good for a system that demands high confidentiality and security of user credentials

Having a weak password is not good for a system that demands high confidentiality and security of user credentials. It turns out that people find it difficult to make up a strong password that is str

PyLaboratory 0 Feb 07, 2022
PreviewGram is for users that wants get a more private experience with the Telegram's Channel.

PreviewGram is for users that wants get a more private experience with the Telegram's Channel.

1 Sep 25, 2022
Providing DevOps and security teams script to identify cloud workloads that may be vulnerable to the Log4j vulnerability(CVE-2021-44228) in their AWS account.

We are providing DevOps and security teams script to identify cloud workloads that may be vulnerable to the Log4j vulnerability(CVE-2021-44228) in their AWS account. The script enables security teams

Mitiga 13 Jan 04, 2022
A secure way of storing your passwords.

StrongBox 🔐 A secure way of storing your passwords. 🔑 Why to use StrongBox? StrongBox makes it possible to have a random generated strong password i

Dylan Tintenfich 5 Dec 25, 2021
Cve-2022-23131 - Cve-2022-23131 zabbix-saml-bypass-exp

cve-2022-23131 cve-2022-23131 zabbix-saml-bypass-exp replace [zbx_signed_session

东方有鱼名为咸 135 Dec 14, 2022
The First Python Compatible Camera Hacking Tool

ZCam Hack webcam using python by sending malicious link. FEATURES : [+] Real-time Camera hacking [+] Python compatible [+] URL Shortener using bitly [

Sanketh J 109 Dec 28, 2022
Infection Monkey - An automated pentest tool

Infection Monkey Data center Security Testing Tool Welcome to the Infection Monkey! The Infection Monkey is an open source security tool for testing a

Guardicore Ltd. 6k Jan 09, 2023
Scan all java processes on your host to check weather it's affected by log4j2 remote code execution

Log4j2 Vulnerability Local Scanner (CVE-2021-45046) Log4j 漏洞本地检测脚本,扫描主机上所有java进程,检测是否引入了有漏洞的log4j-core jar包,是否可能遭到远程代码执行攻击(CVE-2021-45046)。上传扫描报告到指定的服

86 Dec 09, 2022
Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python

Pupy Installation Installation instructions are on the wiki, in addition to all other documentation. For maximum compatibility, it is recommended to u

7.4k Jan 04, 2023
Detection And Breaking With Python

Detection And Breaking IIIIIIIIIIIIIIIIIIII PPPPPPPPPPPPPPPPP VVVVVVVV VVVVVVVV I::::::::II::::::::I P:::::::

Baris Dincer 1 Dec 26, 2021