First i want to express that I like your work very much. As PSI, my favored personal security update assistant died, I was looking for a good alternative very long. VulnDetect (Carma) looks like it has the chance to be this product.
Therefore I would like to ask some questions about further development.
Do you have a time schedule or a roadmap where we can see how your further progress is planned?
Is there an estimated date when the product will be in a state where "normal" private users can install?
Which states are planned (alpha / beta / GA) and when?
Thanks for your work to help users to become less vulnerable!
@snorre I can't give you any very exact estimates on the state of the product going forward.
Now we have been in "Tech Preview" for 3 months, and I believe that we are ready for (early) Alpha next week. We presume that Alpha will be the right label for at least a couple of months, perhaps even to the end of the year.
And Beta quality should be realistic before the end of the year. Once we reach Beta, I think it is viable for most users, except the most novice.
When it comes to labeling the solutions as Alpha / Beta we like to believe that we are leaning towards the conservative side, but I'll let you be the judge of that.
@Snorre I helped adding products to the database so I can tell you that there were many issues where SecTeer needed to find a good concept (a concept how the rules must be built so they work without needing manual adjustment).
But the problem is that there are many applications that store the version info anywhere but not where they should.
So there are many rules to treat those apps...
We are currently releasing a new (and presumably final) release of the back-end for the Personal CARMA Tech Preview.
This release is likely to break some of the current rules and even some of the new rules that will be added, because the UI of the Personal CARMA Tech Preview doesn't handle the new result sets correctly.
This will not be fixed before we release the Personal VulnDetect (Alpha) later this week or next week.
So please be patient.
We will announce when the Personal VulnDetect (Alpha) is available - at which point we also will close the Personal CARMA Tech Preview for good.
The changes to the back-end had a significant impact on the results in the CARMA.
This has been fixed, but it requires a new inspection, before the results are updated.
We have a bit of a backlog on rules, so the state of certain products, including Adobe and Microsoft products, is not accurate. This will be fixed soon.
Our primary focus now is to prepare the release of the VulnDetect.
@tom THX for the detailed answer. I am really looking forward to have a product which can tell me if I have vulnerable software installed (for me an my family).
I just want to let you know that we are progressing aggressively at the moment.
However, the visible changes are still waiting to materialize.
On the back-end and the rules we have changed significant things lately, most of which doesn't benefit the CARMA, but it will prove valuable in the upcoming VulnDetect.
One of the significant changes that we've been working on is to support "Product Channels". Some vendors offer stable enterprise releases, normal releases, beta releases, nightly builds and so on.
Many of these "channels" are not relevant for most users, but those who do use beta and other pre-release products still expects VulnDetect to detect these products (albeit we can't track the security state of these).
In order to avoid inaccurate results, due to incompatible versioning and lack of security information for some of these beta and pre-releases, we have decided to treat them as "Product Channels".
Practically, this means that the VulnDetect will report the installation / presence of e.g. Chrome Canary as a separate product, and it will report the state as "Unknown" or "Untracked", since Google doesn't provide security information for Canary release.
And the "normal" releases of the Chrome browser will be reported and tracked as a regular program, with a security state.
A similar approach will be taken with e.g. Firefox ESR, Firefox, Firefox Beta, Firefox Nightly, Microsoft Office (Monthly, Semi-Annual, Insider, and so on).
Right now we continue our work on the back-end and the UI of the VulnDetect. With regards to rules, our primary focus is maintaining current products and updating them to support the channels.
Once we've given all the rule sets and channels an overhaul, we will get back to adding detection of new products.
Today we stopped maintaining rules in the CARMA and instead started maintaining them in the VulnDetect.
The VulnDetect is currently running in a test environment and we have invited a few to test it.
We expect to deploy the VulnDetect (alpha) to the live site on Monday or Tuesday.
I am confident that VulnDetect will be the best product on the market!
Please see this announcement about the Alpha: