Bug Alert: a service for alerting security and IT professionals of high-impact and 0day vulnerabilities

Overview

Bug Alert

Bug Alert is a service for alerting security and IT professionals of high-impact and 0day vulnerabilities.

Hi, I'm Matthew Sullivan, a security practitioner, and the creator of Bug Alert.

When the Log4j vulnerability was first discovered, it was reported, as most are, on Twitter. 13 hours passed between the time it was disclosed on Twitter to the time LunaSec put out their widely-shared blog post, and 5 hours passed after that before I saw it up at the top of Hacker News. By then, precious time for reacting had been completely lost; it was nearly midnight in my local timezone, and all the people I needed to mobilize were already in bed.

There is no central clearinghouse for notifying security professionals about critical security issues in widely-used software. The process for issuing security bulletins from organizations like the CISA are both welcomed and well-intentioned, but by the time a CVE identifier has been issued, or a bulletin posted, it's simply too late.

Bug Alert has exactly one goal: rapid notification for serious flaws in widely-used software. This process is conducted entirely in the open, via our project on GitHub. Email/phone/SMS notification services are (obviously) not free, but my intent is to keep this effort funded by community/industry donations, if it is ever needed.

Contributions are highly encouraged! We also need a team of volunteers from around the world who can review and rapidly merge GitHub pull requests detailing new issues, as they come in. Volunteers need to be kind, level-headed individuals who are willing to engage a diverse set of people in the security community with unwavering professionalism and no ego. If that sounds like you, open a GitHub issue letting us know!

What Are Notices & Contributing Your Knowledge

Notices are the lifeblood of this service; they are the text that will explain to the community what they need to be worrying about, and why. The merging of a new notice kicks off the automated processes for alerting subscribers by phone, SMS, and email - a potentially expensive operation (telephony services aren't cheap!) that gets only one shot. Notices will generally only be merged into this project for software in widespread use (think hundreds of thousands of installs), and only if there is a large, immediate, demonstrable risk to the systems that are running the vulnerable software.

If you want to submit a notice, simply fork this repository, follow the template in content/notices/202X-MM-DD-slug.md.template to author a new notice, and make a pull request.

0day vulnerabilities will be the most commonly-reported issue for this project, but Bug Alert's notices are not exclusive to 0days. For example, when Log4j 2.15.0 was released to address a years-old issue with prior 2.X.X versions, the security community almost immediately found a vector for denial-of-service (not worthy of a Bug Alert notice). However, a day later, once the DoS issue had already been patched by 2.16.0, researchers found that the vector for DoS in 2.15.0 could also be used for remote code execution. Such a finding would be worthy of a Bug Alert notice, because 2.15.0 was likely to be in widespread use at the time the new vector for RCE was found.

Notices are required to have several fields, the most important of which are Summary, Category, and Tags. Always use the template found at content/notices/202X-MM-DD-slug.md.template to craft a notice, and refer to this README for what acceptable values for summary, category, and tags should be.

Assigning Severity

Severity levels are 'High', 'Very High', and 'Critical'. Make a best effort based on the criteria below, but please be aware that project maintainers may raise or lower your proposed severity based on their own knowledge, experience, and understanding. A new Bug Alert notice may quite literally wake someone up out of bed; our goal should be to only do that when it is truly necessary and appropriate.

High Severity

The high severity level is to be used for vulnerabilities that are extremely damaging, but only in configurations that are found less often in real-world environments, or have other migitating factors. These issues need attention, but nobody is working overnight or during the weekend to patch systems.

Example: A flaw in Adobe Reader for Windows can be utilized to install malware on a single user's system, simply by opening a malicious PDF file.

Very High Severity

The very high severity level is to be used for vulnerabilities that introduce remote code execution, privilege escalation, information disclosure/leakage, etc, where the impact may be high, but other mitigating factors are present (necessary insider knowledge required for exploit, chaining of vulnerabilities is required for successful exploit, etc). These issues need prompt attention and may require an unexpected evening maintenence window, but you can probably keep your date night plans.

Example: A flaw in Microsoft Active Directory allows any authenticated domain user on the local network to escalate their role to Domain Administrator.

Critical Severity

The critical severity level is reserved for vulnerabilities that introduce remote code execution, privilege escalation, information disclosure/leakage, and similar issues which, if exploited, will lead to massive reputational and financial damage; the types of vulnerabilities that make national news. These issues need immediate attention, and you'll be working nights and weekends until you are certain you've got everything patched up.

Example: A flaw in Django, a widely-used Python webapp framework, allows an unauthenticated attacker to run arbitrary commands on the server via the Internet and retrieve the results of those commands.

None of Those Seem To Fit?

If the issue you want to report doesn't fit the descriptions above, it may be that the issue is not of high enough impact to be served by this project. We appreciate that you took the time to consider reporting the issue to a wider audience, and will encourage you to share your knowledge on social media such as Twitter or Reddit's security-focused subreddits.

Types of vulnerabilities generally outside the scope of Bug Alert's focus are described below. Use your judgement though, and don't hestitate to submit a notice if you are confident the wider security and IT communities need to know immediately about an issue.

For example, while DoS vulnerabilities are generally out of scope, an attack that could crash-loop an nginx server in one packet would still be worthy of a notice.

Issues generally outside the scope of this project include:

  • Software not in widespread use
  • Denial of service
  • Protocol attacks (e.g. TLS cipher downgrade)
  • Attacks requiring local network access (e.g. Microsoft SMB RCEs)
  • Attacks heavily relying on user interaction (e.g. user must be tricked into downloading an executable)

Summary

Summary is the text which will be shared in notifications sent out to all subscribers. It is the most critical piece of information, and accuracy and clarity is key. For subscribers who opt to recieve phone calls, the summary will be converted to spoken word through Google's Text-to-Speech engine.

Tags

Tags should make it easy for someone to browse the bugalert.org site and find previous issues related to a specific component. Tags are a comma-separated list that should include the name of the component, the framework or runtime (if applicable), and the severity rating.

For example, a critical issue impacting the popular Java library 'Jackson Databind' should include the tags jackson-databind, Java, and Critical Severity.

Category

Category is used to segment which notices subscribers would like to receive. There are four options, and notice authors must only pick one:

Software Frameworks, Libraries, and Components

Most commonly used for open-source components.

Examples: Django, Flask, Rails, Angular, Spring Boot.

Operating Systems

For operating systems, in desktop, server, and mobile flavors.

Examples: Windows SMB, Linux Kernel, iMessage, Apple Darwin.

Services & System Applications

For services not written by the operating system vendor, core components, and language runtimes. This category can also include components primarily indended for end-users, but that are rarely installed by the average non-administrative user of a system.

Examples: openssh, Apache HTTP Server, nodejs, nginx, Java Runtime, vim, curl, Python.

End-User Applications

Applications that your average non-technical user uses regularly, often without updating, unless an automatic updating mechanism is built into the application.

Examples: Firefox, Chrome, Thunderbird, Outlook, Adobe Acrobat Reader, Spotify, Audacity, VLC, Steam, Microsoft Office.

Contributing

Pull requests are welcome and encouraged.

Run Locally

Clone this repo and cd into it: [email protected]:BugAlertDotOrg/bugalert.git && cd bugalert

Clone the bugalert-pelican repo in as well: [email protected]:BugAlertDotOrg/bugalert-pelican.git

In a Python 3.6+ environment, install all project requirements: pip install -Ur bugalert-pelican/requirements.txt

After that, you can run a local instance with: rm -rf output && pelican --autoreload --listen -s bugalert-pelican/pelicanconf.py

Comments
  • I would like to volunteer!

    I would like to volunteer!

    I'm a 20 year + sysadmin with an interest in IT security and analysis. my linkedin is www.linkedin.com/os2mac if you have any more questions please let me know.

    personnel 
    opened by kaunix 7
  • I would like to volunteer!

    I would like to volunteer!

    I have a decade as a security/privacy manager and now work at a FinTech company as a Security Operations Manager. Would be interested in adding my support and expertise to your project. In general, I can code and I have a small security engineering team and our company support pro-bono work by supplying paid hours.

    opened by amicone 4
  • Other donation channels?

    Other donation channels?

    Hi there. I really like BugAlert and would like to contribute some money (not a lot, so don't spend too much effort on this) to the operating costs. However, I live outside the US, so I don't have a Venmo account and would prefer not to open one just for this purpose. Is there any other way to send one-off donations? Something like PayPal, Stripe, GitHub sponsors, ...?

    enhancement 
    opened by malexmave 4
  • I'd like to Volunteer

    I'd like to Volunteer

    10 years of security most of that blue team with a hint of red. I look forward to helping you out with this. I have always wondered what the best way to handle this problem would be.

    question personnel 
    opened by Rogueit 4
  • Link in pkexec email URL searches for title=log4j, no matches

    Link in pkexec email URL searches for title=log4j, no matches

    Great service. Best of luck with it.

    I just read the notice email for the pkexec bug. The link for "Discussion can be found on Github" links to https://github.com/sullivanmatt/bugalert/pulls?q=is%3Apr+in%3Atitle+log4j which appears to be referencing log4j. The q= query string is "is:pr in:title log4j". The result is "no results matched your search." Perhaps the search term should be "is:pr in:title pkexec" for this bug?

    bug good first issue 
    opened by jezzaaa 3
  • Email with + don't work

    Email with + don't work

    When you use the Gmail feature [email protected] to create a unique email to ensure less spam/more security as all good IT professionals do. Bugfix will let you sign up but the magic link sent in email gets an error.

    Uh oh! There is something wrong with your magic link (an error was returned from our API).

    bug 
    opened by ultramiker 3
  • Vulnerability: Multiple Atlassian Products

    Vulnerability: Multiple Atlassian Products

    Contributor Checklist

    For Vulnerability Reports

    • [x] Check "Allow edit from maintainers" option in pull request so that additional changes can be pushed by the Bug Alert team.
    • [x] Ensure you used the notice template for posting a notice. The 'summary' field will be used for notifications (email, phone, and SMS). It is of the utmost importance that the summary be clear and concise, so we ask that you please follow the format suggested in the template unless there is a compelling and justifiable need to deviate from it.

    Leave the following intact, which notifies our volunteer team: @BugAlertDotOrg/volunteer-team

    opened by defau1t 2
  • Vulnerability: Atlassian Jira

    Vulnerability: Atlassian Jira

    Contributor Checklist

    For Vulnerability Reports

    • [x] Check "Allow edit from maintainers" option in pull request so that additional changes can be pushed by the Bug Alert team.
    • [x] Ensure you used the notice template for posting a notice. The 'summary' field will be used for notifications (email, phone, and SMS). It is of the utmost importance that the summary be clear and concise, so we ask that you please follow the format suggested in the template unless there is a compelling and justifiable need to deviate from it.

    Leave the following intact, which notifies our volunteer team: @BugAlertDotOrg/volunteer-team

    opened by defau1t 2
  • Non-HTTPS Link for Donations in Alert Emails

    Non-HTTPS Link for Donations in Alert Emails

    See https://bug-alert.slack.com/archives/C02TBUW5NKB/p1648664439269079

    The click tracking service used in emails about security vulnerabilities seems to only be used on the donation link and is hosted at http://url7360.bugalert.org/. This domain, however is not available via HTTPS (at least not with a certificate that browsers will accept -- the domain names on the cert don't include url7360.bugalert.org). Further, if you manually accept that cert, the HTTPS connection will send an HSTS header, preventing further access to this domain (via HTTPS or otherwise).

    Possible remedies include:

    • Disabling click tracking and linking directly to the donation page
    • Replacing the TLS cert on url7360.bugalert.org
    • If possible, using one of the domains the TLS cert is signed for rather than the url7360.bugalert.org hostname
    bug 
    opened by mvastola 2
  • Fix for Issue #36 - all emails search for log4j PR instead of {slug}

    Fix for Issue #36 - all emails search for log4j PR instead of {slug}

    Contributor Checklist

    For Site Improvements

    • [X ] Check "Allow edit from maintainers" option in pull request so that additional changes can be pushed by the Bug Alert team if needed.
    • [ X] I have performed a self-review of my own code.
    • [NA ] I have commented my code, particularly in hard-to-understand areas.
    • [ X] My changes generate no new warnings.
    • [ X] I have run Pelican locally to ensure my changes have not disrupted the look, feel, or functionality of the site.
    • [ X] I have checked my code and corrected any misspellings.
    • [ X] I have added a pull request description which details the nature of this change.

    Leave the following intact, which notifies our volunteer team: @BugAlertDotOrg/volunteer-team

    opened by ethans 2
  • Vulnerability: pkexec

    Vulnerability: pkexec

    Contributor Checklist

    For Vulnerability Reports

    • [x] Check "Allow edit from maintainers" option in pull request so that additional changes can be pushed by the Bug Alert team.
    • [x] Ensure you used the notice template for posting a notice. The 'summary' field will be used for notifications (email, phone, and SMS). It is of the utmost importance that the summary be clear and concise, so we ask that you please follow the format suggested in the template unless there is a compelling and justifiable need to deviate from it.
    opened by matthewsullivan-wf 2
  • I would like to volunteer!

    I would like to volunteer!

    ~~Tell us about yourself. We want to ensure volunteers have relevant security expertise, so please include information and/or links related to your skillset or past projects.~~

    My experience is: I check IT news every day for work, so I can probably notify people about vulnerabilities. BugAlert currently doesn't have lots of notifications.

    opened by n1trux 0
  • Pelican site build doesn't finish before notifications go out

    Pelican site build doesn't finish before notifications go out

    They currently run in parallel; I think we're going to need to restructure the build to:

    1. Build the site and deploy it
    2. Check to see that the post is up at the expected URL
    3. Send notifications
    bug good first issue 
    opened by sullivanmatt 0
  • Structured data

    Structured data

    Has anyone considered whether a more structured primary data format, such as JSON, might potentially be advantageous to achieve consistent data contents and allow accurate automated filtering? For example, if I have production Java workloads using the Spring framework, I'd want to know about a Spring RCE, even at 3am. On the other hand, if I'm not using Java, I'd prefer more sleep :)

    enhancement 
    opened by securityguy 2
  • Pelican build doesn't fail when it should sometimes

    Pelican build doesn't fail when it should sometimes

    Example: https://github.com/BugAlertDotOrg/bugalert/runs/5760177587?check_suite_focus=true

    It should have failed the step because the date was not able to be processed.

    bug 
    opened by mattlorimor 0
  • Document sender address for notifications

    Document sender address for notifications

    Hi there!

    I'm planning to hook up the bugalert email alerts to our Jira security service desk, which requires me to create a "customer account" for the sender of the message (otherwise the email will be discarded). Can you document somewhere which email address will be used to send the notifications? Is it a single address that is used for account verification and all future notifications, or are there different email addresses for different purposes, which would all have to be set up as customers in Jira?

    Thanks for this awesome project, I really hope it takes off and sticks around :).

    opened by malexmave 3
  • Add Webhook JSON customizability or Slack WebHook format support

    Add Webhook JSON customizability or Slack WebHook format support

    Currently there's no easy to to integrate with slack using the standard methods. https://api.slack.com/messaging/webhooks

    I see two logical options:

    1. Allow to customize the webhook json payload e.g. editable json template with fields as ${parameters}, or similar. This has the upside of supporting many APIs, including Slack's and customizing message can be done. Downside is you're possibly creating a way for users to use the site to post custom requests anywhere. Maybe that's not a big deal?

    2. If you do not wish to allow custom payload, maybe just add an option for slack payload format and create a default slack template that should be good enough for anyone.

    enhancement 
    opened by mkorkalo 4
Owner
BugAlert.org
BugAlert.org
Safety checks your installed dependencies for known security vulnerabilities

Safety checks your installed dependencies for known security vulnerabilities. By default it uses the open Python vulnerability database Safety DB, but

pyup.io 1.4k Dec 30, 2022
A Static Analysis Tool for Detecting Security Vulnerabilities in Python Web Applications

This project is no longer maintained March 2020 Update: Please go see the amazing Pysa tutorial that should get you up to speed finding security vulne

null 2.1k Dec 25, 2022
A simple tool to audit Unix/*BSD/Linux system libraries to find public security vulnerabilities

master_librarian A simple tool to audit Unix/*BSD/Linux system libraries to find public security vulnerabilities. To install requirements: $ sudo pyth

CoolerVoid 167 Dec 19, 2022
Übersicht remote command execution 0day exploit

Übersicht RCE 0day Unauthenticated remote command execution 0day exploit for Übersicht. Description Übersicht is a desktop widget application for m

BoofGang 10 Dec 21, 2021
Now patched 0day for force reseting an accounts password

Animal Jam 0day No-Auth Force Password Reset via API Now patched 0day for force reseting an accounts password Used until patched to cause anarchy. Pro

IRIS 10 Nov 17, 2022
Grafana-0Day-Vuln-POC

Grafana V8.0+版本存在未授权任意文件读取 0Day漏洞 - POC 1 漏洞信息 1.1 基本信息 漏洞厂商:Grafana 厂商官网:https://grafana.com/ 1.2 漏洞描述 Grafana是一个跨平台、开源的数据可视化网络应用程序平台。用户配置连接的数据源之后,Gr

mik1th0n 3 Dec 13, 2021
Spring-0day/CVE-2022-22965

CVE-2022-22965 Spring Framework/CVE-2022-22965 Vulnerability ID: CVE-2022-22965/CNVD-2022-23942/QVD-2022-1691 Reproduce the vulnerability docker pull

iak 4 Apr 5, 2022
A collection of over 5.1 million sub-domains and assets belonging to public bug bounty programs, compiled into a repo, for performing bulk operations.

?? Public Bug Bounty Targets Data By BugBountyResources A collection of over 5.1M sub-domains and assets belonging to bug bounty targets, all put in a

Bug Bounty Resources 87 Dec 13, 2022
👑 Discovery Header DoD Bug-Bounty

?? Discovery Header DoD Bug-Bounty Did you know that DoD accepts server headers? ?? (example: apache"version" , php"version") ? In this code it is pos

KingOfTips 38 Aug 9, 2022
BETA: Layla - recon tool for bug bounty

WELCOME TO LAYLA Layla is a python script that automatically performs recon on a

Matheus Faria 68 Jan 4, 2023
IPscan - This Script is Framework To automate IP process large scope For Bug Hunting

IPscan This Script is Framework To automate IP process large scope For Bug Hunti

0xd2rdir 8 Mar 12, 2022
A python script to turn Ubuntu Desktop in a one stop security platform. The InfoSec Fortress installs the packages,tools, and resources to make Ubuntu 20.04 capable of both offensive and defensive security work.

infosec-fortress A python script to turn Ubuntu Desktop into a strong DFIR/RE System with some teeth (Purple Team Ops)! This is intended to create a s

James 41 Dec 30, 2022
Security-TXT is a python package for retrieving, parsing and manipulating security.txt files.

Security-TXT is a python package for retrieving, parsing and manipulating security.txt files.

Frank 3 Feb 7, 2022
Security audit Python project dependencies against security advisory databases.

Security audit Python project dependencies against security advisory databases.

null 52 Dec 17, 2022
RedTeam-Security - In this repo you will get the information of Red Team Security related links

OSINT Passive Discovery Amass - https://github.com/OWASP/Amass (Attack Surface M

Abhinav Pathak 5 May 18, 2022
Magicspoofing - A python3 script for search possible misconfiguration in a DNS related to security protections of email service from the domain name

A python3 script for search possible misconfiguration in a DNS related to security protections of email service from the domain name. This project is for educational use, we are not responsible for its misuse.

null 20 Dec 2, 2022
IP Denial of Service Vulnerability ")A proof of concept for CVE-2021-24086 ("Windows TCP/IP Denial of Service Vulnerability ")

CVE-2021-24086 This is a proof of concept for CVE-2021-24086 ("Windows TCP/IP Denial of Service Vulnerability "), a NULL dereference in tcpip.sys patc

Carry 1 Nov 25, 2021
A honey token manager and alert system for AWS.

SpaceSiren SpaceSiren is a honey token manager and alert system for AWS. With this fully serverless application, you can create and manage honey token

null 287 Nov 9, 2022
WebScan is a web vulnerability Scanning tool, which scans sites for SQL injection and XSS vulnerabilities

WebScan is a web vulnerability Scanning tool, which scans sites for SQL injection and XSS vulnerabilities Which is a great tool for web pentesters. Coded in python3, CLI. WebScan is capable of scanning and detecting sql injection vulnerabilities across HTTP and HTTP sites.

AnonyminHack5 12 Dec 2, 2022