I\'ve been a developer for quite some time, and as part of my on-going learning
ID: 660773 • Letter: I
Question
I've been a developer for quite some time, and as part of my on-going learning process I've learnt how to spot and remedy broken (and insecure) code written by others. Recently, I've found myself digging through random projects, and noteing down security issues that I've spotted, ranging from XSS, to SQLI, insecure up-loaders to full blown arbitrary command execution issues, and I've found myself wanting to be a bit more organised.
In my occupation, we make heavy use of Jira, and other such organisational tools, but I can't help but think Jira is not only a bit TOO feature-ful for what I want to keep track of. Information I'd want to track would be along the lines of 'Target Identification->Vulnerability Definition->CVE Assignment->Resolution/Disclosure tracking'.
Are there any open source projects out there that you - as security researchers - use to keep track of your discovered vulnerabilities, and their progress through their discovery/disclosure life time? Is there a gap in the 'market' here - could the sector benefit from a tool made to make the life of the security researcher easier?
Looking forward to any opinions you all want to throw about..
Explanation / Answer
Any bug tracking software is the standard for this tool. Vulnerabilities you find are simply 'bugs'. Assign severity, track the vendor's response and follow-up, and detail the issues all within the tool.
Github, bugzilla, Jira, etc. Choose the tool that matches your needs and workflow.