Number 1 vulnerability database worldwide with more than 165000 entries available. Our specialists work with the crowd-based community to document the latest vulnerabilities on a daily basis since 1970. Besides technical details, there are additional threat intelligence information like current risk levels and exploit price forecasts provided.

1997-2002: Bugbase - How it all began

What we know today as VulDB has quite a history. It all began in the mid-90's when Marc Ruef started his own project on his personal website . The Bugbase should be a small vulnerability database consolidating information about the latest security issues.

The target audience of the website was German which is why Bugbase was providing information on German only.

A number of security issues was rather small, which was an effect of the Internet and vulnerability disclosure policy at that time. Also limited was the level of details that was provided back then. Just the title, a quick summary consisting of a handful of sentences and a link to the original disclosure. Nothing special. But unique, because it was German.

Everything was written by hand with static HTML for many years. A change to an DB-based system happened in late 2002.

2003-2016: scip VulDB - The Free Project

When Marc joined the company scip AG in Zürich in early 2003 a discussion about the future of Bugbase started. Until then it was just a small project driven by an enthusiast in his free time. But it shall become an important pillar of the information culture lived by the then young company.

The whole code of Bugbase was re-written in Perl and a MySQL-database was used to consolidate the information about the security issues. The company still targeted the German-speaking audience. But the details of the documented issues and the number of entries grew rapidly. Every entry contained a generic summary of the issue. But also an issue-specific analysis of the dependencies and possible impact. Something new in the field of vulnerability databases. And something that was appreciated a lot by IT administrators and developers.

This is when Bugbase was re-branded as scip VulnDB (with an N later to be dropped) and became quite popular among the German-speaking countries. Researcher and companies started to use references to because of the clean and straight-forward approach. Over the years the N was dropped from the name and the term scip VulDB was used from then on.

Another re-write happened and the development team moved to PHP in 2009. Additional search features, statistical overviews, CVSS- and CVE-compliancy were added and helped the project to gain more visibility.

To increase the reach all data was also made available in English. The coverage of products and issues was improved over time and the 10'000th entry was created in August 2013. Around the same time, a backport of all entries ranging back to the early 1970's was approached. This has succeeded in 2015 from which on a full coverage could be guaranteed.

Since 2017: vuldb.com - The Big Player

The project became so big that it deserved an autonomous appearance. VulDB was disconnected from scip AG in mid-2016 and became available on the own domain vuldb.com from then on.

At the same time, a complete re-design of the service happened. The most obvious thing was the new layout which featured highly-dynamic technologies to make the site usable on all devices.

But also the database structure got optimized to improve flexibility and efficiency. Due to the high amount of traffic targeting the service, it became mandatory to increase availability. Additional caching services help to enrich the user experience even though nearly 100.000 entries are hosted as of mid-2017.

Further language support was added to the database. Languages like French, Spanish, Italian and Polish. The acceptance within the information security industry grew much faster thanks to this internationalization.

Over the years the support for open standards became highly important. This is why all entries support CVSSv3, CVE, CWE, CPE, OVAL and IAVM. In 2016 there was also a unique feature of exploit price prediction implemented which helps users to rate the severity of vulnerabilities.

VulDB was always free and the project team wants to keep large parts of it free. Additional commercial services make the service attractive to large enterprise customers. Additional details, customized statistical analysis and in-depth technical review of exploits are just a few of the possibilities. In the meanwhile some of the Global 2000 use VulDB as vulnerability management and threat intelligence tool. The advanced API capabilities introduced late 2016 provide solid interfaces for automated data exchange.

In the same year, the community edition of VulDB became available. Users are able to create an account and use the commercial services. Or join the community edition which makes it possible to edit and review entries. Many vulnerability researchers and administrators use these features to commit edits of existing entries or suggest new submissions to be added to the database. The data quality and speed of entry handling have improved very quickly.

The Future

Even after more than 20 years we still love VulDB, what it has become and what it could be. There are a lot of ideas documented as upcoming milestones and a lot of great possibilities ahead of us. Better coverage and better data quality is always the goal. But there shall be additional features to help handle the vast amount of vulnerabilities that threat the systems all around the globe. And if you want to help shape the future, just create an user account and contribute to the community edition today!

1997Bugbase project launch by Marc Ruef
September 2002From static web site to dynamic database
March 2003Bugbase is re-branded as scip VulnDB and re-written in Perl
November 2003Initial release of scip_Alerter for desktop notifications
December 2003Introduction of RSS feed
Januar 2004Introduction of Emergency-SMS
Mai 2004Adding a lot of new data fields
July 2006Emergency-SMS availability in Germany
June 2009Complete re-write of the site in PHP
August 2009Completing old entries and introduction of recurring update processes
September 2009Start of the Twitter bot vuldb (formerly scipvulbot)
December 2009Introduction of stats, partnership with OSVDB (cross-linking)
March 2010Introduction of Reference Maps
December 2010Move to more powerful hardware due to increase in access
June 2012All entries available in Italian
September 2012All entries available in Swedish
October 2012All entries available in English and Spanish
April 2013Introduction of CVSS maps
June 2013Screenshots, video, and CPE support
August 2013CVSSv2 Temporal Support and 10.000th entry
June 2014Approaching backlog of old entries before 2003
December 2015Adding caching modules to improve site performance
November 2016Start closed beta of community edition
October 2016Introduction of exploit price calculations
December 2016Introduction of API
January 2017Start open beta of community edition
February 2017Public availability of community edition
March 2017Supporting CVSS scores from multiple sources (VulDB, vendor, researcher, NVD)
April 2017100.000th entry
June 2017Introduction of dynamic graphs
April 2018Release of Alexa Skill
May 2018Availability of Data Privacy Notice
September 2018Release of Splunk App
October 2018Launch of Video Tutorial Series on YouTube
January 2019Enabling real-time views of recent and updated entries
February 201910.000th community user
March 2019Introduction of the C3BM Index (CVSSv3 Base Meta Index)
July 2019Introduction of software type categories
Mai 2020Upgrading to an extended server cluster for better performance
September 2020Switching to a so called monoblock data architecture

Do you know our Splunk app?

Download it now for free!