FAQ - Frequently Asked Questions

These are the frequently asked questions. More details are available in the documentation

Generic

What is VulDB?

VulDB stands for Vulnerability Database. We are curating and documenting all security vulnerabilities that got published in electronic products. We are one of the most important sources for people responsible for handling vulnerabilities, vulnerability management, exploit analysis, threat intelligence, and incident response handling.

What can I do with VulDB?

Our customer can basically be divided into three categories:

VM - Ongoing Vulnerability ManagementVR - Extended Vulnerability ResearchCTI - Cyber Threat Intelligence
IT administrators and SOCIT admins, security testers and vendorsmultinational companies, govs and vendors
⇒ Know what kind of advisories, vulnerabilities, exploits and countermeasures are published to react to them as quickly and efficient as possible.⇒ Analyze current and historic data to establish and maintain the understanding of vulnerabilities, exploits and their trends.⇒ Get technical and geopolitical information about threats, actors, and activities to anticipate actopms and establish pro-active measures.

What is unique about VulDB?

We want to provide the best vulnerability data and threat intelligence service. We provide a wide variety of unique features not available by other vendors and services:

What is the story behind VulDB?

The multiple decades spanning history of VulDB is well documented in the about of the web site.

How many people work at VulDB?

VulDB consists of multiple teams:

  • Infrastructure Team (Network, Hardware, and OS)
  • Web Development Team
  • App Development Team (e.g. Splunk, Alexa)
  • Moderation Team (Vulnerabilities)
  • Threat Intelligence Team
  • Community Team (Submits, Commits, Posts)
  • Support Team
  • Sales Team
We are working with different acknowledged specialists in multiple fields to guarantee the best quality of the service.

Furthermore, the open community does also support the project. They submit new entries, commit changes, and discuss entries.

Access

How may I access the data?

There are different ways to access the data of vuldb.com:

How am I limited by accessing data?

By accessing the service and using the data you agree to the Terms of Usage

The project wants to be as open as possible. Most data is accessible on the public web site. To access some specific fields, show more results or detailed stats, a signup and login is required. This will also increase the possibilities and details of the data (e.g. more accurate exploit prices, more results in a search query).

Some views, details and amount of items require a commercial license. It is possible to purchase such a license online.

To prevent users from scraping data and violating the license, a limit is established. This limits accessibility to a certain amount of requests. This holds also true for users accessing the service extensively, like in a DDoS attack. Enterprise customers do not have such limitations to guarantee the best of the service.

User Account

How may I create an user account?

Just signup for the service for free. A valid mail address is required to verify your new account. You agree to the Terms of Use

How do you handle personal data?

Details about how we collect and handle personal data is explained in our Data Privacy Notice

How may I change the mail address of my account?

For security reasons please contact the support team to discuss your matter.

How may I delete my account?

Please contact the support team to discuss your matter. This way we are able to provide a backup of your data if requested. Your personal data will be deleted after a confirmation.

Licensing

How may I use the data in a commercial project?

The license for public access of the service forbids to use the data within a commercial project. Please contact our sales team to discuss a commercial co-operation.

What kind of licensing models are available?

We are eager to satisfy our customers. There are different models for licensing possible based on required API credits and expected product coverage. A purchase can be initiated online.

What licenses are available for students and researcher?

We do not provide student or research licenses. But get in touch with our support team and explain your use-case. We may provide a custom offer which can address your individual needs.

Vulnerability Management

Which products do you cover?

We add every vulnerability and weakness that gets published to VulDB.

We provide a strict SLA (coverage and timeline) for the top 100 in our list. If you need the same SLA for other products, we would have to include them additionally within an enterprise license.

How do you process new vulnerabilities?

Our moderation team os monitoring 24/7 different sources on the Internet. This includes web sites, code repositories and exploit markets on the Darknet.

Whenever a new advisory, exploit, upgrade or patch has been found, the data is reviewed to determine if it is a new vulnerability. If this is the case, a new entry is created in the database. If the data correlates with an older vulnerability, the new data is merged into the existing database entry.

Furthermore, thanks to our community services every registered user has the unique possibility to submit new entries via the web form - Vendors and researchers are using this possibility to propagate their findings quickly.

How do you handle user submissions?

Registered users have the unique possibility to submit new entries or to edit existing entries on the web site. All submits, commits and comments are stored in a queue which is processed by the VulDB moderation team.

If a submit/commit/comment is correct, it will be accepted and added to the service. If the data is wrong then the submit/commit/comment will be rejected with a reason.

How do you maintain old entries?

The VulDB moderation team is eager to update existing entries. This might happen because the ongoing monitoring identifies new information regarding a known vulnerability.

But we are always processing a certain amount of existing entries to determine if the information is still up-to-date. This consequent updating of old entries is quite unique among vulnerability databases.

What kind of Service Level Agreement do you provide?

We provide a basic Service Level Agreement (SLA) regarding service availability, vulnerability processing, community moderation, and support handling. The documentation explains our basic SLA in detail. An extended SLA may be negotiated as part of a commercial license agreement.

How can I report a bug or issue in VulDB?

We are eager to improve to provide the best possible experience for our users. If you have found a technical issue or a security vulnerability in one of our services we are happy to know about it. Just contact our support team which will handle the issue as quickly as possible. Reporting users are rewarded with free unlocks for access and data on the website.

Risk Rating

Do you provide a risk rating?

We provide multiple risk rating indicators:

The user has the possibility to chose the risk rating that suits best.

Do you provide CVSS scores?

We guarantee a VulDB score (none of our entries has no score) which includes CVSSv3/CVSSv2 and Base/Temp. We provide additional vectors and scores from different sources. This includes typically:

  • VulDB (guaranteed by us, always includes a confidence level)
  • Vendor
  • Researcher
  • NVD
We also add a so called CVSSv3 Meta Score and an unique C3BM Meta Index to make these different scores comparable.

How do you calculate your own CVSS scores?

We are using internal guidelines to provide quality assurance for scoring. The documentation explains how we handle CVSS scores in detail.

How do you calculate your exploit prices?

We are using an unique algorithm based on monitoring, observations, and statistical models. The documentation also explains how we calculate exploit prices in detail.

How may we buy/sell exploits?

We do not buy/sell exploits. Please consider contacting a vulnerability broker specialized in such services.

Cyber Threat Intelligence

How does CTI work?

Our approach of Cyber Threat Intelligence (CTI) is unique.

The CTI team is monitoring activities of actors. This includes but is not limited to sources like web sites, social media, forums, and darknet markets. These activities are logged, classified, and analyzed. This leads to a CTI Interest Score (0.00-10.00) for a vulnerability and a CTI Activity Score (0-1000) for an actor.

The relationshop between actors, primarily different countries, is analyzed to determine political tensions. This leads to a geopolitical Attack Probability Score which helps to determine emerging threats and ongoing attacks.

Who is eligible for CTI information?

Some basic threat intelligence information is published on the web site. However, at the moment we are running a closed-beta which is why some of the information is not yet disclosed or access to it limited. Please have some patience until the CTI service is publicly available.

API

How may I use the API?

The API is accessible via web, expects HTTP requests and uses JSON/XML for responses. The API documentation contains all details on how to use the API.

How may I increase the amount of API credits?

You are able to purchase additional API credits online. If you are an enterprise customer with inidividual needs please contact us. We have different pricing models to match the individual needs of our customers.

Alerting

Do you provide an alerting service?

We provide a variety of alerting mechanisms:

  • API
  • Mail Alert
  • CTI Alerts

How do API alerts work?

You are able to access the API with custom queries to get the latest issues affecting our product landscape. This can be done with extended search queries, custom alert filter or collections (enterprise customers only).

How do mail alerts work?

You are able to enable and maintain your own mail alert in your user profile. Adding products (vendor and product name) will provide custom views and alerting capabilities. If one of your defined products has a new vulnerability, a mail alert is sent once a day to your defined mail address. This helps you to stay up-to-date without having the need to visit the web site on a regular basis.

How do CTI alerts work?

You agree upon a coverage and cadence of CTI monitoring services. Whenever a new observation is made, a quick report is sent to you. We distinguish between Alerts (new identification, forecasting included) and Infos (verification of existing disclosures, forecasting included).

Vendor Participation

How may we support VulDB as a vendor?

We appreciate all kind of community, researcher, and vendor support. We maintain good contacts to have a fruitful exchange of vulnerability and threat intelligence data.

As a vendor you may submit new vulnerabilities as quickly as possible to keep the defensive community and your user base as informed as possible. You may also edit and enrich existing entries to help gain good data quality.

If you want to automatically feed your product and vulnerability data to VulDB, please contact us to discuss the possibilities (e.g. automated imports, API uploads).

How may we add a vendor statement to an entry?

As a vendor your have the possibility to submit an official statement which will be added as such to an entry. This makes it possible to mention results of your quality testing, insights of threat analysis, and suggestions for countermeasures.

How may we delete a vulnerability on VulDB as it hurts our reputation?

One of the aspects of VulDB is the documentation of vulnerabilities. If such were disclosed, discussed, and added to the database, there is no good reason why we would delete such information. Even if an entry is old it might be of interest for historians.

It is important for us to document vulnerabilities as fair and accurate possible. If you partially or fully disagree with an entry, you have the following possibilities:

  1. If the information is wrong or outdated, we encourage you to edit an entry to keep it up-to-date.
  2. If you disagree with a disclosure or technical details of an entry, you are able to submit an official statement which will be added to the entry.
  3. If you have something to add otherwise, you may use the community comment feature of the available entries.
  4. If you think the core issue of an entry is non-existent, you may flag it as disputed with an edit.
  5. If you can prove that an entry is a false-positive, we will flag it as such (the entry remains online for documentation purposes if other sources list it too).
  6. If you can prove that an entry is a false-positive and VulDB is the only source, we will delete the entry.

Contact

How may I contact you for further inquiries?

In any case please contact our support team via the online form on the web site. They will reply or delegate your request to the responsible department or team. This does also apply for media inquiries (e.g. expertise, interviews).

Do you want to use VulDB in your project?

Use the official API to access entries easily!