VulDB was founded as a private project back in 1997 (before CVE, Nessus and Snort were even born) and maintained by Marc Ruef for 5 years under the copyleft license for free.
When the company scip AG was founded in 2002, the database was incorporated there and we maintained it for 13 years for free as well. scip AG decided to provide commercial services on top of the free service.
Even though we have commercial access capabilities, everybody is able to use the web site without a login for free. Even the license is CC BY-NC-SA 4.0 which is basically everything for free (but not for commercial use). Unfortunately, some people don't respect that, which is why we have to enforce under some circumstances a signup to identify violations better. Everybody is able to create an account for free. You may use our official Splunk app to collect data and this app is for free. Or use our Nmap NSE Plugin to enhance scans which is not just free but GPL.
If you access a lot of entries or want to have very detailed data (which we have to curate manually), then you have to pay. Because then are a company that profits from our voluntary work. Even though we have a lot of free users that abuse our service, we want to keep the free part because it is the right thing to do.
Our pricing structure is very fair and allows even small companies to run a professional vulnerability management. We haven't had a price increase since we added the commercial service.
People are able to submit and edit new entries and we like this community engagement a lot. And some of our CTI data is shared on GitHub for free. Even though we incorporate data from other sources as well, we always respect licenses and provide an attribution. Even to our competitors. We do this for every single commit. Because it's fair.
Over the years the CVE stream became a very important source for us. We decided to become a CVE Numbering Authority (CNA) after the program become open to give something back to the CVE community. We do this for free. Access to all entries, that we maintain as a CNA, are not paywalled but accessible for free (even if we detect violations of your license agreements). This is about 8% of the vulnerability data that we host at the moment. Therefore, we can't make money with our CNA work because we share it for free.
We also reroute a lot of submissions to other CNAs. For example, we have an agreement with the WordPress CNAs that we will forward all such submissions to them. If we have an overlapping with an other research CNA and realize that they work on the same CVE, we always give them priority. We even provide custom views and API access to them for free to make their life easier. Some of them are partially competitors but we still help them.
Because we have such a high throughput some CNAs tend to contact us to ask for guidance for edge cases. We help them for free. We are very eager to become an ADP to enrich existing entries. This is the main reason why we joined the CNA program. We will do it for free. For 17 years being a CNA was obviously not essential to our business model, it still isn't and will never be.
Interested in the pricing of exploits?
See the underground prices here!