Alex. For WEB vulnerability discovering, one of the most important to us is Nessus to search and confronting against CVE database. Sometimes, Nessus find some vulnerable packages in our Gentoo boxes and when we go to emerge -UDN this, there is not the updated version even when the fixes are available [in other distros for example]. The Core Impact http://www.coresecurity.com/ do a great job too but we only tested the demo version. [That is great too]. There is other interesting tool [not really WEB related but...] the Secunia PSI http://secunia.com/vulnerability_scanning/online/ that do a great job in search unupdated packages but Windows only. Reading your last answer, I had the impression we are talking about different things but I think I can connect them. My apologies to speculate without read the complete team work documentation but even if issue correction is not our job as you said, I think we could pressure package maintainers to update its packages since we (in thesis) have more visibility about packages vulnerabilities that can be fixed but aren't fixed yet. This could be impact even in GLSA's update for example. So, if we have a automatic mechanism that searchs into vulnerabilities databases - CVE - for example and find what packages have issues that was already fixed, we could, for example, label packages with some flag that tells users and developers that this package needs review to fix some vulnerability. I thought this is an interesting point to discuss because this could in principle force updates to be more fast and more Bugzilla-free. I have nothing against Bugzilla but the process as a whole takes too much time and we could in principle search vulnerabilities databases and provide developers and users with informations about how their systems security are. Thanks again. Daniel On Fri, Aug 26, 2011 at 3:44 PM, Alex Legler wrote: > On Friday 26 August 2011 15:22:40 Daniel A. Avelino wrote: > > > When I think about automation, I had in mind something that could help > > > > developers to find > > vulnerabilities in a more fast way [searching and confronting CVE, for > > example] and start a > > "call for solution" process. I work with solutions of this type for WEB > > vulnerabilities discover > > and some tools are very interesting to reduce the correction time. > > > > We already use CVE as one of our sources of vulnerability intelligence. > Finding issues is also not the real issue here. > Also, actual issue correction is not our job, it's the responsibility of > the > package maintainer. > > Can you share details about the utilities you are using? > > Alex > > -- > Alex Legler > Gentoo Security / Ruby