One way to receive up-to-date reports about vulnerability issues is subscribing to vulnerability RSS feeds: they update on demand, they don’t rely on your mail subsystem and they don’t fill up your mailbox. The only drawback is that you could miss alerts if you don’t sync your feeds for a long time, but if you’re a IT security manager, you don’t have a life, so how could it happen anyways?
Here’s the top feeds you should be subscribed to (CVE tags are reported in brackets):
- NIST Vulnerability Database.
- US Cert Technical Security Alerts [CERT].
- SecurityFocus Vulnerabilities [SF-INCIDENTS].
- Open Source Vulnerability Database [OSVDB].
- IBM Internet Security Systems Threats [ISS].
- Vupen Security Advisories [VUPEN].
- Secunia Latest Security Advisories (Unofficial) [SECUNIA].
- eEye Security Advisories [EEYE].
The above list is also available as OPML file you can import into your feed reader.
Furthermore, you should subscribe to Operating Systems product-centric vulnerability feeds to ensure you receive timely information regarding updated packages and suggested workarounds for your infrastructure. Here’s a comprehensive list, sorted alphabetically:
- Apple Security Announce (Mac OS X, iPhone, etc) [APPLE].
- Checkpoint’s SmartDefense Service [CHECKPOINT].
- Cisco’s Product & Service Security Advisories [CISCO].
- Debian Security Advisories [DEBIAN].
- Fedora Security Updates [FEDORA].
- FreeBSD Security Advisories [FREEBSD].
- Gentoo Linux Security Advisories (GLSA) [GENTOO].
- Mandriva Security Advisories [MANDRIVA].
- Microsoft’s Security Notification Service Comprehensive Edition [MS].
- NetBSD Security Advisories [NETBSD].
- OpenPKG Security Advisories [OPENPKG].
- OpenBSD Errata [OPENBSD].
- Red Hat Security Advisories [REDHAT].
- Slackware Linux Security Advisories [SLACKWARE].
- Solaris SunSolve Alerts [SUNALERT].
- SUSE Linux Enterprise Security Advisories (also contains OpenSUSE advisories) [SUSE].
- Ubuntu Security Notices [UBUNTU].
OS security advisory feeds are available as OPML file as well.
Have I missed anything? Please report if you find some advisory feed I accidentally missed. Also, if you’re into an Operating System security team and you don’t offer a security announcement feed, please consider making it available.