Exploit/Vulnerability database?

littleguy

Backstory: Have deployed a lot of Wordpress, Drupal, Joomla sites. I'd like to be able to see in a list or receive digests (emails) when new 0-day vulnerabilities that affect these systems are released into the wild.

Fine-grained control (such as only core, or core+specific plugins/modules) would be awesome. Haven't found anything like this. Does anyone know?

jhadley

Not sure of this but there are plenty of ways of keeping your scripts up to date automatically, which might be easier :)

Patrick

For WP you can subscribe to their mailing list, most likely same for other CMS's

For WP: http://codex.wordpress.org/Mailing_Lists#Announcements

littleguy

@jhadley said: there are plenty of ways of keeping your scripts up to date automatically

Automatically updating core/plugins is a bad move. There are plenty of things that change or break between versions. Having to explain to your customers why their site doesn't work after a failed/buggy "auto update" is not a good strategy. In fact, I'm not even sure how you can write that with a straight face.

@StormVZ said: For WP you can subscribe to their mailing list, most likely same for other CMS's

Will subscribe, but since it's "major announcements" only, I'm not sure they report 0-day?

Edit: Also, what's with the stupid requirement for their development news list?

This list is only open to developers who have a plugin in the WordPress Plugins Directory or a theme in the WordPress Themes

Patrick

@littleguy Yeah lol a bit weird, I was just browsing through the WP plugins and this may be of use: http://wordpress.org/extend/plugins/mail-on-update/

Might install it myself on our blog

NickM

Your best bet may be to subscribe to Bugtraq and Full Disclosure. Most stuff is posted there before it ever becomes "public".

risharde

For Drupal security updates, check out http://drupal.org/security You would have to subscribe for the updates. I did it a while back and I notice they do a pretty good job releasing updates. Good luck.