Number 1 vulnerability database worldwide with more than 206000 entries available. Our specialists work with the crowd-based community to document the latest vulnerabilities on a daily basis since 1970. Besides technical details, there are additional threat intelligence information like current risk levels and exploit price forecasts provided. This is a short history of our service spanning more than 25 years. Technical improvements are documented in the changelog.
1997-2002: Bugbase - How it all began
What we know today as VulDB has quite a history. It all began in the mid-90's when Marc Ruef started his own project on his personal website . The Bugbase should be a small vulnerability database consolidating information about the latest security issues.
The target audience of the website was German which is why Bugbase was providing information on German only.
The number of security issues was rather small, which was an effect of the Internet structure and vulnerability disclosure policy at that time. Also limited was the level of details that was provided back then. Just the title, a quick summary consisting of a handful of sentences and a link to the original disclosure. Nothing special. But unique, because it was German.
Everything was written by hand with static HTML for many years. A change to an DB-based system happened in late 2002.
2003-2016: scip VulDB - The Free Project
When Marc joined the company scip AG in Zürich in early 2003 a discussion about the future of Bugbase started. Until then it was just a small project driven by an enthusiast in his free time. But it shall become an important pillar of the information culture lived by the then young company.
The whole code of Bugbase was re-written in Perl and a MySQL-database was used to consolidate the information about the security issues. The company still targeted the German-speaking audience. But the details of the documented issues and the number of entries grew rapidly. Every entry contained a generic summary of the issue. But also an issue-specific analysis of the dependencies and possible impact. Something new in the field of vulnerability databases. And something that was appreciated a lot by IT administrators and developers.
This is when Bugbase was re-branded as scip VulnDB (with an N later to be dropped) and became quite popular among the German-speaking countries. Researcher and companies started to use references to because of the clean and straight-forward approach. Over the years the N was dropped from the name and the term scip VulDB was used from then on.
Another re-write happened and the development team moved to PHP in 2009. Additional search features, statistical overviews, CVSS- and CVE-compliancy were added and helped the project to gain more visibility.
To increase the reach all data was also made available in English. The coverage of products and issues was improved over time and the 10'000th entry was created in August 2013. Around the same time, a backport of all entries ranging back to the early 1970's was approached. This has succeeded in 2015 from which on a full coverage could be guaranteed.
2017-today: vuldb.com - The Big Player
The project became so big that it deserved an autonomous appearance. VulDB was disconnected from scip AG in mid-2016 and became available on the own domain vuldb.com from then on.
At the same time, a complete re-design of the service happened. The most obvious thing was the new layout which featured highly-dynamic technologies to make the site usable on all devices.
But also the database structure got optimized to improve flexibility and efficiency. Due to the high amount of traffic targeting the service, it became mandatory to increase availability. Additional caching services help to enrich the user experience even though nearly 100.000 entries are hosted as of mid-2017.
Further language support was added to the database. Languages like French, Spanish, Italian and Polish. The acceptance within the information security industry grew much faster thanks to this internationalization.
Over the years the support for open standards became highly important. This is why all entries support CVSSv3, CVE, CWE, CPE, OVAL and IAVM. In 2016 there was also a unique feature of exploit price prediction implemented which helps users to rate the severity of vulnerabilities.
VulDB was always free and the project team wants to keep large parts of it free. Additional commercial services make the service attractive to large enterprise customers. Additional details, customized statistical analysis and in-depth technical review of exploits are just a few of the possibilities. In the meanwhile some of the Global 2000 use VulDB as vulnerability management and threat intelligence tool. The advanced API capabilities introduced late 2016 provide solid interfaces for automated data exchange.
In the same year, the community edition of VulDB became available. Users are able to create an account and use the commercial services. Or join the community edition which makes it possible to edit and review entries. Many vulnerability researchers and administrators use these features to commit edits of existing entries or suggest new submissions to be added to the database. The data quality and speed of entry handling have improved very quickly.
VulDB was acquired by pyxyp inc. in 2021 and relaunched with a new app and layout.
Even after more than 25 years we still love VulDB, what it has become and what it could be. There are a lot of ideas documented as upcoming milestones and a lot of great possibilities ahead of us. Better coverage and better data quality is always the goal. But there shall be additional features to help handle the vast amount of vulnerabilities that threat the systems all around the globe. And if you want to help shape the future, just create an user account and contribute to the community edition today!
Interested in the pricing of exploits?
See the underground prices here!