Function of Vulnerability Disclosure Mailing Lists
Vulnerability disclosure mailing lists are typically utilized for disclosing security vulnerabilities and can act as a platform for discussion pertaining to information security. These lists permit everyone subscribed to perceive the latest announced vulnerabilities. Occasionally, the vulnerabilities are not revealed to a vendor and hence are purely released to the public serving as a Zero Day. When this occurs, significant risks emerge when a Zero Day is recognized to malicious actors and a solution is not available. Vendors may not be given enough time by security researchers to patch a vulnerability prior to the researchers publishing it to the public. In such circumstances, you need to urgently update to the latest version of the concerned software as soon as a patch is released to curtail risks to your security infrastructure. Alternatively, refraining from using the affected software until a fix is released by the vendor is another way to minimize risks.
Below are the most eminent vulnerability disclosure mailing lists that you should subscribe to:
One of the most prominent security mailing lists is Full Disclosure. When you subscribe to this mailing list, you will receive notifications when vulnerabilities for numerous web applications and platforms are disclosed by security researchers. More significantly, this mailing list will also be the one where you could likely discover a Zero Day where the vendor has not been notified.
BugTraq is a renowned mailing list that was created in 1993 and now owned by Symantec. The list provides an amalgamated perspective of vulnerabilities. Thus, it is unnecessary to search for individual vendor announcements manually. A majority of the latest vulnerabilities are conferred with this mailing list. Subscribing can be done by sending an email to firstname.lastname@example.org.
The US-CERT has been reacting to security occurrences and disclosing vulnerability details subsequently the Morris Worm spread during the mid-1980s. The US-CERT (United States Computer Emergency Readiness Team) has four mailing lists that you can choose from. The first is Alerts which are the security disclosures. Bulletins are the second option that consists of weekly vulnerability summaries accompanied by patch information when available. Tips offer advice concerning general security issues. Lastly, Current Activity refers to current information regarding potent forms of security occurrences impacting the general public. At the minimum, subscribing to Bulletins will benefit your security awareness since the information delivered weekly reveals fresh vulnerabilities which are categorized as high, medium, or low within separate charts based on their base score derived from the Common Vulnerability Scoring System (CVSS).