Vulnzy Bot
A bot which is responsible for managing the vulnerability reports published at https://iavm.xyz/b/vulnz.
Tasks
The bot performs the following tasks:
Automatically publish vulnerability reports after the deadline
The bot will search private (restricted) vulnerability reports and will do the following:
- If the report has the "DoNotPublish" label, don't automatically publish it.
- If the report was marked with status "Fixed" or "Verified" more than 30 days ago, publish it.
- If the report isn't marked as "Fixed"/"Verified" and the "Reported" value is previous to the current time subtracting the number of days set in the "Deadline" field, publish it.
In all the calculations above, a grace period of 1 day is added (so in reality it's 31 days instead of 30, and Deadline + 1 day
instead of Deadline
).
Add a disclosure alert 5 days before it is automatically disclosed
The bot will add a comment to a vulnerability report 5 days before it is automatically disclosed as explained in the previous section.
Set up
- Set up Git Watcher:
- Create a service account in your Google Cloud project.
- Give it permission to use the Monorail API.
- Give it appropiate permissions in each Monorail project.
- Create subdirectory
//secret/
and download the service accounts credentials JSON file to //secret/credentials.json
. - Run
make docker-prod
and docker-compose up -d
.