FAQ - Frequently Asked Questions
These are the frequently asked questions. More details are available in the documentation
What is VulDB?
VulDB stands for Vulnerability Database. We are curating and documenting all security vulnerabilities that got published in electronic products. We are one of the most important sources for people responsible for handling vulnerabilities, vulnerability management, exploit analysis, threat intelligence, and incident response handling.
What can I do with VulDB?
Our customer can basically be divided into three categories:
|VM - Ongoing Vulnerability Management||VR - Extended Vulnerability Research||CTI - Cyber Threat Intelligence|
|IT administrators and SOC||IT admins, security testers and vendors||multinational companies, govs and vendors|
|⇒ Know what kind of advisories, vulnerabilities, exploits and countermeasures are published to react to them as quickly and efficient as possible.||⇒ Analyze current and historic data to establish and maintain the understanding of vulnerabilities, exploits and their trends.||⇒ Get technical and geopolitical information about threats, actors, and activities to anticipate actopms and establish pro-active measures.|
What is unique about VulDB?
We want to provide the best vulnerability data and threat intelligence service. We provide a wide variety of unique features not available by other vendors and services:
- 🖥️ high performance server cluster
- 📄 excellent coverage, including exotic sources (e.g. social media, forums, Darknet)
- 📑 daily updates of existing entries
- 📼 commit history for all changes
- ☑️ high quality thanks to well educated moderation team
- 🔗 CPE 2.2, CPE 2.3, CWE, ATT&CK, CVE, CVSSv2, CVSSv3 support
- ➕ CVSS scores from multiple sources
- ⚔️ unique exploit price calculation
- 🛒 categorizing and grouping of products
- 🌐 cyber threat intelligence
- 👨💻 simple API (JSON, XML, CSV, RSS)
- 💾 280 data points supported
- 🚨 pre-filter and mail alert support
- 🔍 Splunk app
- 👁️🗨️ Nmap support
- 🤖 Alexa Skill
- 💬 community support (submit, edit, comment)
- ℹ️ official support can handle technical vulnerability questions (support, mods and devs are in the same building)
- 🦉 service level agreement (SLA)
- 🇨🇭 data sovereignty (all data hosted in Switzerland, no dependency on other organizations/countries)
What is the story behind VulDB?
The multiple decades spanning history of VulDB is well documented in the about of the web site.
How many people work at VulDB?
VulDB consists of multiple teams:
- Infrastructure Team (Network, Hardware, and OS)
- Web Development Team
- App Development Team (e.g. Splunk, Alexa)
- Moderation Team (Vulnerabilities)
- Threat Intelligence Team
- Community Team (Submits, Commits, Posts)
- Support Team
- Sales Team
Furthermore, the open community does also support the project. They submit new entries, commit changes, and discuss entries.
How may I access the data?
There are different ways to access the data of vuldb.com:
- Web frontend (mobile support available)
- RSS feeds (recent and updates )
- Mail Alerts
- API (JSON/XML)
- Custom API (enterprise customers)
- Social Media (e.g. Twitter and Facebook )
- Alexa Skill
How am I limited by accessing data?
By accessing the service and using the data you agree to the Terms of Usage
The project wants to be as open as possible. Most data is accessible on the public web site. To access some specific fields, show more results or detailed stats, a signup and login is required. This will also increase the possibilities and details of the data (e.g. more accurate exploit prices, more results in a search query).
Some views, details and amount of items require a commercial license. It is possible to purchase such a license online.
To prevent users from scraping data and violating the license, a limit is established. This limits accessibility to a certain amount of requests. This holds also true for users accessing the service extensively, like in a DDoS attack. Enterprise customers do not have such limitations to guarantee the best of the service.
How may I create an user account?
How do you handle personal data?
Details about how we collect and handle personal data is explained in our Data Privacy Notice
How may I change the mail address of my account?
For security reasons please contact the support team to discuss your matter.
How may I delete my account?
Please contact the support team to discuss your matter. This way we are able to provide a backup of your data if requested. Your personal data will be deleted after a confirmation.
How may I use the data in a commercial project?
The license for public access of the service forbids to use the data within a commercial project. Please contact our sales team to discuss a commercial co-operation.
What kind of licensing models are available?
We are eager to satisfy our customers. There are different models for licensing possible based on required API credits and expected product coverage. A purchase can be initiated online.
What licenses are available for students and researcher?
We do not provide student or research licenses. But get in touch with our support team and explain your use-case. We may provide a custom offer which can address your individual needs.
Which products do you cover?
We add every vulnerability and weakness that gets published to VulDB.
We provide a strict SLA (coverage and timeline) for the top 100 in our list. If you need the same SLA for other products, we would have to include them additionally within an enterprise license.
How do you process new vulnerabilities?
Our moderation team os monitoring 24/7 different sources on the Internet. This includes web sites, code repositories and exploit markets on the Darknet.
Whenever a new advisory, exploit, upgrade or patch has been found, the data is reviewed to determine if it is a new vulnerability. If this is the case, a new entry is created in the database. If the data correlates with an older vulnerability, the new data is merged into the existing database entry.
Furthermore, thanks to our community services every registered user has the unique possibility to submit new entries via the web form - Vendors and researchers are using this possibility to propagate their findings quickly.
How do you handle user submissions?
Registered users have the unique possibility to submit new entries or to edit existing entries on the web site. All submits, commits and comments are stored in a queue which is processed by the VulDB moderation team.
If a submit/commit/comment is correct, it will be accepted and added to the service. If the data is wrong then the submit/commit/comment will be rejected with a reason.
How do you maintain old entries?
The VulDB moderation team is eager to update existing entries. This might happen because the ongoing monitoring identifies new information regarding a known vulnerability.
But we are always processing a certain amount of existing entries to determine if the information is still up-to-date. This consequent updating of old entries is quite unique among vulnerability databases.
What kind of Service Level Agreement do you provide?
We provide a basic Service Level Agreement (SLA) regarding service availability, vulnerability processing, community moderation, and support handling. The documentation explains our basic SLA in detail. An extended SLA may be negotiated as part of a commercial license agreement.
How can I report a bug or issue in VulDB?
We are eager to improve to provide the best possible experience for our users. If you have found a technical issue or a security vulnerability in one of our services we are happy to know about it. Just contact our support team which will handle the issue as quickly as possible. Reporting users are rewarded with free unlocks for access and data on the website. This does not apply for reports of issues regarding physical scenarios, flooding attacks, and best practices (e.g. security headers, certificate pinning).
Do you provide a risk rating?
We provide multiple risk rating indicators:
- own risk rating (low, medium high)
- CVSSv2 and CVSSv3 Base and Temp scores by VulDB, Vendor, Researcher and NVD
- unique CVSSv3 Meta score
- unique exploit price calculation
- unique cyber threat itelligence scoring
- additional risk ratings by other sources (e.g. tools, vendors, databases)
Do you provide CVSS scores?
We guarantee a VulDB score (none of our entries has no score) which includes CVSSv3/CVSSv2 and Base/Temp. We provide additional vectors and scores from different sources. This includes typically:
- VulDB (guaranteed by us, always includes a confidence level)
How do you calculate your own CVSS scores?
We are using internal guidelines to provide quality assurance for scoring. The documentation explains how we handle CVSS scores in detail.
How do you calculate your exploit prices?
We are using an unique algorithm based on monitoring, observations, and statistical models. The documentation also explains how we calculate exploit prices in detail.
How may we buy/sell exploits?
We do not buy/sell exploits. Please consider contacting a vulnerability broker specialized in such services.
Cyber Threat Intelligence
How does CTI work?
Our approach of Cyber Threat Intelligence (CTI) is unique.
The CTI team is monitoring activities of actors. This includes but is not limited to sources like web sites, social media, forums, and darknet markets. These activities are logged, classified, and analyzed. This leads to a CTI Interest Score (0.00-10.00) for a vulnerability and a CTI Activity Score (0-1000) for an actor.
The relationshop between actors, primarily different countries, is analyzed to determine political tensions. This leads to a geopolitical Attack Probability Score which helps to determine emerging threats and ongoing attacks.
Who is eligible for CTI information?
Some basic threat intelligence information is published on the web site. However, at the moment we are running a closed-beta which is why some of the information is not yet disclosed or access to it limited. Please have some patience until the CTI service is publicly available.
How may I use the API?
The API is accessible via web, expects HTTP requests and uses JSON/XML for responses. The API documentation contains all details on how to use the API.
When do my API credits reset?
The API consumption calculation is a moving window. If you exceed your limit, you have to wait until some of your earlier access attempts become older than 24 hours before you can do new requests.
Therefore, the reset does not happen at a specific time. As we have customers all around the world there would not be an ideal time to do such a reset. We would then have to expect a high peak of requests after such a generic reset as all customers would gain new credits at the same time. To distribute the requests we decided to implement a moving window.
What happens with unused API credits?
You purchase a certain amount of usable API credits per day. If this day passes, your unused API credits expire. It is not possible to collect credits and stack them for future consumption.
How may I increase the amount of API credits?
You are able to purchase additional API credits online. If you are an enterprise customer with inidividual needs please contact us. We have different pricing models to match the individual needs of our customers.
How many API credits are recommended?
This depends on your use case. On a regular they there are up to 150 new vulnerabilities published per day. If you want to do a steady vulnerability monitoring, 200 API credits would be sufficient to handle the normal stream.
But there are days, especially patch days of big companies like Microsoft and Oracle, which generate sometimes more than 400 new entries per day. To handle such peaks in real-time we recommend 600 API credits per day.
If you want also to fetch all daily updates of existing entries, there are 200 API credits per day additionally recommended.
Some clients, especially enterprise customers, have the task to investigate and analyze older entries. In such cases we recommend 800 or more API credits. Our enterprise license is the perfect fit for this scenario.
Do you provide an alerting service?
We provide a variety of alerting mechanisms:
- Mail Alert
- CTI Alerts
How do API alerts work?
You are able to access the API with custom queries to get the latest issues affecting our product landscape. This can be done with extended search queries, custom alert filter or collections (enterprise customers only).
How do mail alerts work?
You are able to enable and maintain your own mail alert in your user profile. Adding products (vendor and product name) will provide custom views and alerting capabilities. If one of your defined products has a new vulnerability, a mail alert is sent once a day to your defined mail address. This helps you to stay up-to-date without having the need to visit the web site on a regular basis.
How do CTI alerts work?
You agree upon a coverage and cadence of CTI monitoring services. Whenever a new observation is made, a quick report is sent to you. We distinguish between Alerts (new identification, forecasting included) and Infos (verification of existing disclosures, forecasting included).
How may we support VulDB as a vendor?
We appreciate all kind of community, researcher, and vendor support. We maintain good contacts to have a fruitful exchange of vulnerability and threat intelligence data.
As a vendor you may submit new vulnerabilities as quickly as possible to keep the defensive community and your user base as informed as possible. You may also edit and enrich existing entries to help gain good data quality.
If you want to automatically feed your product and vulnerability data to VulDB, please contact us to discuss the possibilities (e.g. automated imports, API uploads).
How may we add a vendor statement to an entry?
As a vendor your have the possibility to submit an official statement which will be added as such to an entry. This makes it possible to mention results of your quality testing, insights of threat analysis, and suggestions for countermeasures.
How may we delete a vulnerability on VulDB as it hurts our reputation?
One of the aspects of VulDB is the documentation of vulnerabilities. If such were disclosed, discussed, and added to the database, there is no good reason why we would delete such information. Even if an entry is old it might be of interest for historians.
It is important for us to document vulnerabilities as fair and accurate possible. If you partially or fully disagree with an entry, you have the following possibilities:
- If the information is wrong or outdated, we encourage you to edit an entry to keep it up-to-date.
- If you disagree with a disclosure or technical details of an entry, you are able to submit an official statement which will be added to the entry.
- If you have something to add otherwise, you may use the community comment feature of the available entries.
- If you think the core issue of an entry is non-existent, you may flag it as disputed with an edit.
- If you can prove that an entry is a false-positive, we will flag it as such (the entry remains online for documentation purposes if other sources list it too).
- If you can prove that an entry is a false-positive and VulDB is the only source, we will delete the entry.
How may I contact you for further inquiries?
In any case please contact our support team via the online form on the web site. They will reply or delegate your request to the responsible department or team. This does also apply for media inquiries (e.g. expertise, interviews).
Are you interested in using VulDB?
Download the whitepaper to learn more about our service!