Hi

I'm Chris.

vuln.pub

November 11th, 2014

A while back I had a small digital ocean instance running elastic search as part of an app. There was a big vulnerability in the dynamic scripting module that allowed arbitrary code execution. My instance got hacked, but it was around two months after the vulnerability disclosure, but I never heard about it.

I was wanting to try out the Phoenix framework in Elixir at the time, so I put together a little app that monitors security disclosure lists and will notify you when a package in your application has a vulnerability. If your packages are managed through a package manager like apt, npm, pypi, or rubygems, then it's really simple to get notifications when there's a disclosure affecting you.

The site is called vuln.pub. You can create a "monitor" which has a manifest describing the dependencies in your app. vuln.pub will periodically poll your manifest for changes in your packages and package versions. When a vulnerability comes in from a seclist, it will find all the packages you have installed, and if the version is vulnerable, send you a notification.

Elixir was surprisingly pleasant, much more so than node. I think I'll be writing a lot of stuff in the future with it.

Stuff used: elixir, phoenix, postgres, ecto, browserify, influxdb, gulp