There's a stunning amount of elbow grease involved in that.
If you're a random company, you have an engineer sitting around whose job involves reading a dozen mailing lists - and we want to save everyone from that redundancy.
Oh yeah I know, I think there's value in what you're trying to do. I would pay 9/m if it also covered application dependencies. I was just curious how it works. What's the time between CVE release and getting a notification from your service?
+1 for Python. You're probably aware of a company called Sonatype that does something like this during the dev process. Their business is growing fast. As far as I know nobody is doing this in production. I think you've found a nice niche that has a lot of potential. Good luck.
1. They all do a great job! But there's this last mile problem with managing the information they do put out.
If you can handle the downtime, unattended-upgrades will work just dandy. If your postgres restarting in the middle of the night gives you pause, our service can help you choose how to roll out your security upgrades.
2. We cover app dependencies as well! For now just Ruby, but others as well pretty soon.
Currently, there is no straightforward way of checking Ubuntu package versions against CVEs. Debian provides this through debsecan[1], but this tool is pretty much broken on Ubuntu[2].
Correct, but if this will reduce the 0-day / 1-day time then it's very useful if your server does anything important. The difference between responding to Shellshock in 15 mins vs 2 hours could be exploitation.
"just" , there are very well paid full-time people working in big name companies doing pretty much this. Auditing is a real big pain, and this is certainly not the first company trying to address this.
