An IT pro is tired of having to follow boring Twitter accounts to stay up to date on cybersecurity developments, and he’s built a website that will call you if there’s a new one you really need to know about.
Bugalert, founded by product manager Matt Sullivan, is a collaborative project that it hopes will take the hassle out of trying to tell signal from noise when security researchers uncover high-impact vulnerabilities.
Keeping up with rapidly evolving situations, such as Log4j vuln and its iterations, he said, is “quite overwhelming”. record It is believed that the dependence on the allocation of CVE numbers is very slow in this day and age. (It took about a day and a half for the initial version of Log4j vuln to be given a violent extremism test in November 2021, before one of the vulnerabilities made its way to Twitter a week later.)
“You know, I’m reading about this vulnerability,” Sullivan sighed as he described the Log4j frustration that led to Bogalert. “It’s the middle of the night in our time zone. And this tweet was posted at 9am local time, saying there was this catastrophic problem. And I found myself extraordinarily frustrated because someone had a 15 hour deadline and we couldn’t, you know, get the word out” .
There will be very few people in ICT who are not aware of this problem. If you follow the correct Twitter accounts with nicknames, you can get significant hours or even minutes when a new movie becomes public knowledge. People who rarely look away from Twitter are more likely to catch a new one who needs immediate remedial action — while those who insist on living in the space of meat (or even sleeping, cranky) can be left behind.
Sullivan described Bugalert as relying on vetted volunteers (“someone with deep industry experience, to see if something is important”) who send push alerts to registered subscribers.
People do this via Bugalert’s GitHub page, its founder explained, saying that this allows him to “choose a number of geographically dispersed repository admins” for 24/7 coverage. As for the process, it seems pretty simple: “When they see the notification needs to be revised and merge it, which triggers the alert process, they can respond to it.”
It is a process that is intentionally human so far and does not depend on ingesting or digesting the summaries of traditional threat intelligence. With that in mind, what’s the difference between a Bugalert and traditional mailing lists or an RSS feed?
Dell’s critical notifications to enterprise customers
Mailing lists, as their name suggests, send email messages. “I don’t know about you, but my email is disastrous,” said Sullivan semi-seriously. “Pressing things and email is not a good combination for me.”
The other problem with mailing lists, in his opinion, is that popular notification services from sellers are “subject to very high standards of accuracy”.
Sometimes it’s more important to apply mitigations quickly rather than spend time being precise about how a particular folder affects particular environments or deployments.
“I think it makes sense to alert someone, and say ‘There’s a problem, and we don’t know how to tell you to fix it.’ But your job now is to be aware of it and at least figure it out,” Sullivan.
In his vision, Bugalert’s participating organizations will receive an alert, “Have a cup of tea while they’re built,” and increase their product version number: “And an hour later they’re produced, and they’re back in bed.”
Very neat on paper. But what about the phone option? If you sign up for it, Bugalert will call your phone and run a text-to-speech version of a generic alert created by one of Bugalert’s volunteer bug fixes. Sullivan said he imagined users would keep Bugalert’s phone number and allow him to bypass the “Do Not Disturb” settings, something Reg It might be a little fancy.
However, he estimated more specifically that three-quarters of Bugalert’s existing 600 subscribers have signed up for the SMS alerts: “Obviously there’s value there. People say again ‘My email isn’t enough, I need something more direct than Yes I am “…people are definitely interested in early notifications, but they are also interested in different types of notifications that they are not currently receiving.”
Industry reaction has been mixed, with a Reddit thread about Bugalert containing both praise and informed criticism. One poster noted: “You have built an email/sms sending infrastructure but you are also looking for volunteers to report, screen, verify and approve vulnerabilities. The volunteer stage is what anti-volunteerism does, albeit very slowly.”
As for financing, so far it all depends on the Sullivan Bank account. He told us he’d consider financial contributions or sponsorships in the future, but rejected the idea of hanging banner ads, something that would undoubtedly satisfy the gremlins in the back room of Vulture Central.
Some will not see the value of this project, arguing that Bugalert reproduces any number of notification mechanisms. Others will be horrified by the idea of strangers being able to wake them up by bots reading the words on their phones in the middle of the night. However, a few hundred system administrators think that fills a niche. ®