Does anyone have any recommendations on how to go about getting relevant vulnerability alerts for software in a particular environment? I get weekly US-CERT vulnerability bulletins and monitor plenty of other vulnerability feeds, but am looking for something where I can specify the products that I need to watch and only receive alerts for those. Not looking for a vulnerability scanner(we have plenty of those) or a full vulnerability management suite, per se, just a way to filter out newly published vulnerabilities that affect software in use on our network.
I'm aware of some commercial service (VUPEN, etc), but am looking for a way to do it for free or low cost. Ideally we would be able to configure and manage it in-house, since we're not keen on providing all of our software names/versions to outside entities.
The only thing I've come up with so far is using RSS feeds from cvedetails.com, which lets you create RSS feeds for specific software/versions, and either import those into an excel sheet or some sort of server-side RSS aggregator that is viewable by me both me and my colleagues.
Anyone have any novel ways that they do it, or can think of something I have overlooked?