Number 1 vulnerability database worldwide with more than 168000 entries available. Our specialists work with the crowd-based community to document the latest vulnerabilities on a daily basis since 1970. Besides technical details, there are additional threat intelligence information like current risk levels and exploit price forecasts provided.
1997-2002: Bugbase - How it all began
What we know today as VulDB has quite a history. It all began in the mid-90's when Marc Ruef started his own project on his personal website . The Bugbase should be a small vulnerability database consolidating information about the latest security issues.
The target audience of the website was German which is why Bugbase was providing information on German only.
A number of security issues was rather small, which was an effect of the Internet and vulnerability disclosure policy at that time. Also limited was the level of details that was provided back then. Just the title, a quick summary consisting of a handful of sentences and a link to the original disclosure. Nothing special. But unique, because it was German.
Everything was written by hand with static HTML for many years. A change to an DB-based system happened in late 2002.
2003-2016: scip VulDB - The Free Project
When Marc joined the company scip AG in Zürich in early 2003 a discussion about the future of Bugbase started. Until then it was just a small project driven by an enthusiast in his free time. But it shall become an important pillar of the information culture lived by the then young company.
The whole code of Bugbase was re-written in Perl and a MySQL-database was used to consolidate the information about the security issues. The company still targeted the German-speaking audience. But the details of the documented issues and the number of entries grew rapidly. Every entry contained a generic summary of the issue. But also an issue-specific analysis of the dependencies and possible impact. Something new in the field of vulnerability databases. And something that was appreciated a lot by IT administrators and developers.
This is when Bugbase was re-branded as scip VulnDB (with an N later to be dropped) and became quite popular among the German-speaking countries. Researcher and companies started to use references to because of the clean and straight-forward approach. Over the years the N was dropped from the name and the term scip VulDB was used from then on.
Another re-write happened and the development team moved to PHP in 2009. Additional search features, statistical overviews, CVSS- and CVE-compliancy were added and helped the project to gain more visibility.
To increase the reach all data was also made available in English. The coverage of products and issues was improved over time and the 10'000th entry was created in August 2013. Around the same time, a backport of all entries ranging back to the early 1970's was approached. This has succeeded in 2015 from which on a full coverage could be guaranteed.
Since 2017: vuldb.com - The Big Player
The project became so big that it deserved an autonomous appearance. VulDB was disconnected from scip AG in mid-2016 and became available on the own domain vuldb.com from then on.
At the same time, a complete re-design of the service happened. The most obvious thing was the new layout which featured highly-dynamic technologies to make the site usable on all devices.
But also the database structure got optimized to improve flexibility and efficiency. Due to the high amount of traffic targeting the service, it became mandatory to increase availability. Additional caching services help to enrich the user experience even though nearly 100.000 entries are hosted as of mid-2017.
Further language support was added to the database. Languages like French, Spanish, Italian and Polish. The acceptance within the information security industry grew much faster thanks to this internationalization.
Over the years the support for open standards became highly important. This is why all entries support CVSSv3, CVE, CWE, CPE, OVAL and IAVM. In 2016 there was also a unique feature of exploit price prediction implemented which helps users to rate the severity of vulnerabilities.
VulDB was always free and the project team wants to keep large parts of it free. Additional commercial services make the service attractive to large enterprise customers. Additional details, customized statistical analysis and in-depth technical review of exploits are just a few of the possibilities. In the meanwhile some of the Global 2000 use VulDB as vulnerability management and threat intelligence tool. The advanced API capabilities introduced late 2016 provide solid interfaces for automated data exchange.
In the same year, the community edition of VulDB became available. Users are able to create an account and use the commercial services. Or join the community edition which makes it possible to edit and review entries. Many vulnerability researchers and administrators use these features to commit edits of existing entries or suggest new submissions to be added to the database. The data quality and speed of entry handling have improved very quickly.
Even after more than 20 years we still love VulDB, what it has become and what it could be. There are a lot of ideas documented as upcoming milestones and a lot of great possibilities ahead of us. Better coverage and better data quality is always the goal. But there shall be additional features to help handle the vast amount of vulnerabilities that threat the systems all around the globe. And if you want to help shape the future, just create an user account and contribute to the community edition today!
|1997||Bugbase project launch by Marc Ruef|
|September 2002||From static web site to dynamic database|
|March 2003||Bugbase is re-branded as scip VulnDB and re-written in Perl|
|November 2003||Initial release of scip_Alerter for desktop notifications|
|December 2003||Introduction of RSS feed|
|Januar 2004||Introduction of Emergency-SMS|
|Mai 2004||Adding a lot of new data fields|
|July 2006||Emergency-SMS availability in Germany|
|June 2009||Complete re-write of the site in PHP|
|August 2009||Completing old entries and introduction of recurring update processes|
|September 2009||Start of the Twitter bot |
|December 2009||Introduction of stats, partnership with OSVDB (cross-linking)|
|March 2010||Introduction of Reference Maps|
|December 2010||Move to more powerful hardware due to increase in access|
|June 2012||All entries available in Italian|
|September 2012||All entries available in Swedish|
|October 2012||All entries available in English and Spanish|
|April 2013||Introduction of CVSS maps|
|June 2013||Screenshots, video, and CPE support|
|August 2013||CVSSv2 Temporal Support and 10.000th entry|
|June 2014||Approaching backlog of old entries before 2003|
|December 2015||Adding caching modules to improve site performance|
|November 2016||Start closed beta of community edition|
|October 2016||Introduction of exploit price calculations|
|December 2016||Introduction of API|
|January 2017||Start open beta of community edition|
|February 2017||Public availability of community edition|
|March 2017||Supporting CVSS scores from multiple sources (VulDB, vendor, researcher, NVD)|
|April 2017||100.000th entry|
|June 2017||Introduction of dynamic graphs|
|April 2018||Release of Alexa Skill|
|May 2018||Availability of Data Privacy Notice|
|September 2018||Release of Splunk App|
|October 2018||Launch of Video Tutorial Series on YouTube|
|January 2019||Enabling real-time views of recent and updated entries|
|February 2019||10.000th community user|
|March 2019||Introduction of the C3BM Index (CVSSv3 Base Meta Index)|
|July 2019||Introduction of software type categories|
|Mai 2020||Upgrading to an extended server cluster for better performance|
|September 2020||Switching to a so called monoblock data architecture|
Interested in the pricing of exploits?
See the underground prices here!