Show HN: Patchwork – Real-time notifications for OSS vulnerabilities

Hi, we&#x27;re currently looking for such tool. Here are some questions that would be helpful for us:<p>How do you manage vulnerabilities database?<p>Do you&#x27;ve a list of OSS that this tool covers? Does it integrate with existing scanning tools like Nexpose (<a href="http:&#x2F;&#x2F;www.rapid7.com&#x2F;products&#x2F;nexpose&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.rapid7.com&#x2F;products&#x2F;nexpose&#x2F;</a>).<p>Can it scan code repositories?<p>What information does it capture from the machine? Where is the data center located?<p>What do you anticipate the bandwidth consumption would be like for this tool?<p>Any volume discounts?<p>edit: formatting.

This would be a cool service to integrate with github badges, next to test coverage and build status. e.g. &quot;2 UNPATCHED VULNERABILITIES&quot; or &quot;VULNERABILITY ASSESSMENT PASSED&quot;<p>It should be simple enough to intersect the list of a project&#x27;s dependencies with a list of libraries with known vulnerabilities.<p>If you provided this as a free service, you&#x27;d get a bunch of free advertising from the github badges, like travis-CI. :)

Hi all! I’m Shamiq, ex-Matasano and co-founder of Patchwork Security. David and I built Patchwork as a devops tool to help manage Open Source Vulnerabilities. We want to drive the time between an available fix and patched infrastructure to zero. We’d love for you to try it out, and let us know what you think!<p>We’ll be here all day answering comments or you can reach us at shamiq@patchworksecurity.com or david@patchworksecurity.com.

Launched something very similar last year and learned that integrations with existing security scanning tools was more important than building our own from scratch. We actually open sourced our linux agent (<a href="https:&#x2F;&#x2F;github.com&#x2F;NoSprawl&#x2F;LinuxAgent" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;NoSprawl&#x2F;LinuxAgent</a>) and a few other little nuggets, but never announced anything.

Pakiti (<a href="http:&#x2F;&#x2F;pakiti.sourceforge.net&#x2F;" rel="nofollow">http:&#x2F;&#x2F;pakiti.sourceforge.net&#x2F;</a>) is another useful tool in this space.

Awesome. Can we hook into this to send updates to Slack instead?

You should make this service free for individuals (hackers) and charge companies.<p>Companies which pay for the service will be notified of the vulnerability before hackers.<p>Basically you foster a community of hackers while at the same time charging companies protection money from your own hackers.

Doesn&#x27;t work on my ubuntu machine:<p><pre><code> curl -L https:&#x2F;&#x2F;git.io&#x2F;cleansweep | sh sh: 94: curl: Argument list too long</code></pre>

Sorry to be snide, but seriously?<p><pre><code> curl -L https:&#x2F;&#x2F;git.io&#x2F;cleansweep | sh </code></pre> For a security tool?<p>[edit] I still think it&#x27;s a great idea, though [&#x2F;edit]

is this a joke?<p>Piping random shit off the web straight into a shell. Sounds like worst advise. I&#x27;m sure the maintainers of this site really know their stuff when it comes to security.<p>A malicious attacker will love breaking this site and find out who uses which versions.

This just sounds like a bad idea to me. Why would you publish all this very sensitive machine info to a third party to retrieve that list? This would be a goldmine if they got hacked.<p>Also, don&#x27;t tell your users to blindly pipe curl to sh, ever.<p>It would be a much better design if it worked the other way around: Aggregate recent security patches into a database and send those to the servers, and have them do a local compare of vulnerabilities. You could charge for the database access and still keep your business model.