How to keep tabs on the latest software vulnerabilities

Why should you keep your eyes peeled?

Most software vulnerabilities are programming or configuration errors made during development. They leave security holes. If left unpatched, they can be exploited by hackers to install malware on your device, steal your personal information, listen in on your calls, read your texts, use your device for phishing, or completely take over your device.

Your software or app developers are responsible for patching these security bugs, but they might not always respond to them quickly enough. This opens a small window between when the vulnerability is discovered and when it is patched. Hackers monitor these opportunities while also looking for vulnerabilities themselves. The good news is, you are not powerless.

Most exploits can be prevented by simply being aware of them. For example, an app might have a bug that allows hackers to perform a buffer overflow attack simply by calling you. Or hackers might use security vulnerabilities in your device to try to infect it with a compromised message, image, or video. Forewarned is forearmed – when you know these vulnerabilities exist, you can look out for attacks.

But where can you find the latest vulnerability reports? Here’s where to look.

What can you do to keep up to date?

1. Public vulnerability databases

These databases will have the latest information from security researchers, white-hat hackers and security analysts. They are very convenient for the tech-literate, as they will provide in-depth explanations, vulnerability scores and lots of other metrics you may need to know. However, these platforms might be a bit overwhelming for tech novices. They rarely include step-by-step guidelines for the average user.

• National Vulnerability Database. The U.S. government’s repository lists Common Vulnerabilities and Exposures (CVEs) and analyzes them based on publicly available information. It also assigns CVEs metrics such as its severity (Common Vulnerability Scoring System – CVSS), vulnerability type (Common Weakness Enumeration – CWE), and applicability (Common Platform Enumeration – CPE).
• Common Vulnerabilities and Exposures (CVE). A publicly available database that lists the most recent CVEs. This database exchanges information with the NVD, which you may prefer for its analysis and metrics.
• VULDB. A crowdsourced vulnerability database that was previously created by the Open Source Vulnerability Database (OSVDB) and then shut down in 2016. It’s now a paid service that lets you browse recent vulnerabilities by CVSS scores, products, vendors, and types.

2. Follow security researchers and white-hat hackers

You’ll find first-hand information on websites and blogs provided to you by security researchers and security analysts. They search for security bugs for various devices and software and then publish their findings on their websites and blogs. Other news outlets usually write articles based on the information provided on these platforms. One of such examples is:

• The Talos Security Intelligence and Research Group’s (Talos) researchers work on detecting, analyzing and protecting Cisco products. Their website lists vulnerability reports and microsoft advisories, as well as a blog powered by multiple security researchers, a podcast and a community support.
• Krebs on Security. Brian Krebs is a journalist, not a security researcher, but he takes great interest in cybersecurity and his blog is well recognized in the industry. He often writes about the latest vulnerabilities and interviews security researchers.

3. Sign up for a vulnerability alert service

If you don’t have time to handpick vulnerabilities yourself or read the news, there are third-party services that can curate vulnerabilities for you. All it takes is for you to choose the type of software or devices you use and you’ll receive regular updates on the latest vulnerabilities. Some offer weekly newsletters, while others offer premium services like vulnerability alerts as they’re released. One example is Sec Alerts.

4. Follow cybersecurity news and blogs

News outlets such as the New York Times, Gizmodo, and Wired always release articles about the most recent and severe security bugs. If you read cybersecurity news daily, you will be aware of what to look out for.

You can also find news on cybersecurity blogs like ours at NordVPN. These will often include more in-depth information on the vulnerability and what you need to do to protect your data. These are perfect for anyone – from tech novices to tech pros (you can subscribe to free NordVPN monthly newsletter below). In addition, we regularly share cybersecurity and privacy news on our Facebook page.

What else can you do?

Programmers and developers are responsible for preventing and fixing security bugs. Is there anything you can do while these vulnerabilities are being patched? Here are some precautionary measures:

• Keep your software and apps up to date. Tech giants like Microsoft, Apple, and Google release regular updates that will always include patches to the latest bugs. Make sure to use the latest versions of your apps.
• Use an antivirus. It may not patch bugs, but it will prevent hackers from taking advantage of some of them. A good antivirus will pick up on a virus or malware, notify you, and quarantine it before it does any damage. At worst, it will help you clean up and mitigate damage. This is great if the vulnerability has been found but the patch has yet to be released.
• Do your research before buying a new device. Does it already have any known hardware vulnerabilities? What reputation does the manufacturer have? Some devices and their software are more secure than others.
• Practise good internet behavior. Don’t make a hacker’s job any easier than it needs to be. Even if they did find a way to compromise your app or your device, there are simple things that you could do to stop them, like using a strong password, 2FA, or simply logging out of your accounts. Find more tips in our how to fix bad internet behaviors post.
• Use a VPN. A VPN encrypts your traffic and changes your IP address, which makes it more difficult for hackers to find you in cyberspace.