FAQ
📌 Article pinned by VulDB Support Team
These are the Frequently Asked Questions. More details are available in the official documentation.
Generic
What is VulDB?
VulDB stands for Vulnerability Database. We are curating and documenting all security vulnerabilities that got published in electronic products. We are one of the most important sources for people responsible for handling vulnerabilities, vulnerability management, exploit analysis, cyber threat intelligence, and incident response handling.
What can I do with VulDB?
Our customer can basically be divided into three categories:
VM - Ongoing Vulnerability Management | VR - Extended Vulnerability Research | CTI - Cyber Threat Intelligence |
---|---|---|
IT administrators and SOC | IT admins, security testers and vendors | multinational companies, govs and vendors |
⇒ Know what kind of advisories, vulnerabilities, exploits and countermeasures are published to react to them as quickly and efficient as possible. | ⇒ Analyze current and historic data to establish and maintain the understanding of vulnerabilities, exploits and their trends. | ⇒ Get technical and geopolitical information about threats, actors, and activities to anticipate actopms and establish pro-active measures. |
What is unique about VulDB?
We want to provide the best vulnerability data and threat intelligence service. We provide a wide variety of unique features not available by other vendors and services:
- 🏎️ high performance server cluster
- 📄 excellent coverage, including exotic sources (e.g. social media, forums, Darknet)
- 📑 daily updates of existing entries
- 📼 commit history for all changes within a private blockchain
- ☑️ high quality thanks to well educated moderation team
- 🔗 MITRE standards like CVE, CPE 2.2, CPE 2.3, CWE, ATT&CK, CVSSv2, CVSSv3, CVSSv4 supported
- 🗃️ officially approved as CVE Numbering Authority (CNA) by MITRE to assign new CVEs
- 🔣 officially approved as Authorized Data Publisher (ADP) by NIST NVD to enrich CVE entries
- 💍 additional standards like purl supported
- ➕ CVSS scores from multiple sources and aggregated Meta scores
- ⚔️ unique exploit price calculation
- 🤺 support of Exploit Prediction Scoring System (EPSS) and CISA Known Exploited Vulnerabilities Catalog (KEV)
- 🛒 categorizing and grouping of products
- 🌐 cyber threat intelligence (IOC, TTP, IOA, IOB)
- 👨💻 simple API (JSON, XML, CSV, RSS)
- 💾 more than 460 structured data points supported
- 🔣 templating of custom summaries and descriptions
- 🌍 support for multiple languages
- 🚨 pre-filter and mail alert support
- 🔍 Splunk app
- 👁️🗨️ Nmap support
- 🤖 Alexa Skill
- 💬 community support (submit, edit, comment, vote)
- ℹ️ official support can handle technical vulnerability questions (support, mods and devs are in the same building)
- 🦉 Service Level Agreement (SLA) and Business Continuity Management (BCM)
- 🇨🇭 data sovereignty and privacy (all data hosted in Switzerland, no dependency on other organizations/countries)
Who is responsible for VulDB?
VulDB is a service provided by pyxyp inc.
What is the story behind VulDB?
The multiple decades spanning history of VulDB is well documented.
How many people work at VulDB?
VulDB consists of multiple teams:
- Infrastructure Team (Network, Hardware, and OS)
- Web Development Team
- App Development Team (e.g. Splunk, Alexa)
- Moderation Team (Vulnerabilities)
- Data Team
- CTI Team
- Community Team (Submits, Commits, Posts)
- Support Team
- Sales Team
Furthermore, the open community does also support the project. They submit new entries, commit changes, and discuss entries.
Access
How may I access the data?
There are different ways to access the data of vuldb.com:
- Web frontend (mobile support available)
- RSS feeds (recent and updates )
- Mail Alerts
- API (JSON/XML)
- Custom API (enterprise customers)
- Social Media (e.g. Twitter and Facebook )
- Alexa Skill
How am I limited by accessing data?
By accessing the service and using the data you agree to the Terms of Usage
The project wants to be as open as possible. Most data is accessible on the public web site. To access some specific fields, show more results or detailed stats, a signup and login is required. This will also increase the possibilities and details of the data (e.g. more accurate exploit prices, more results in a search query).
Some views, details and amount of items require a commercial license. It is possible to purchase such a license online.
To prevent users from scraping data and violating the license, a limit is established. This limits accessibility to a certain amount of requests. This holds also true for users accessing the service extensively, like in a DDoS attack. Enterprise customers do not have such limitations to guarantee the best of the service.
Where is the data hosted?
All data is hosted in Switzerland to provide the advantages of legal stability, technical reliability, and geopolitical neutrality.
User Account
How may I create an user account?
Just signup for the service for free. A valid mail address is required to verify your new account. You agree to the Terms of Use.
How do you handle personal data?
Details about how we collect and handle personal data is explained in our Data Privacy Notice.
How may I change the mail address of my account?
For security reasons please contact the support team to discuss your matter.
How may I delete my account?
Please contact the support team to discuss your matter. This way we are able to provide a backup of your data if requested. Your personal data will be deleted after a confirmation.
Licensing
How may I use the data in a commercial project?
The license for public access of the service forbids to use the data within a commercial project. Please contact our sales team to discuss a commercial co-operation.
What kind of licensing models are available?
We are eager to satisfy our customers. There are different models for licensing possible based on required API credits and expected product coverage. A purchase can be initiated online.
What licenses are available for students and researcher?
We do not provide student or research licenses. But get in touch with our support team and explain your use-case. We may provide a custom offer which can address your individual needs.
Which payment methods are supported?
We support a wide variety of payment methods.
Do you support custom invoicing?
We do for certain subscription models and payment methods.
Do you provide discounts?
We do provide discounts for long-term subscriptions and customers purchasing multiple add-ons at once.
How do you handle supplier onboarding?
If you need a supplier or vendor onboarding to purchase our services, feel free to contact us so we may submit a quote to compensate our extended efforts. Otherwise you may consult our Knowledge Base which provides all the necessary information.
Vulnerability Management
Which products do you cover?
We add every vulnerability and weakness that gets published to VulDB.
We provide a strict SLA (coverage and timeline) for the top 100 in our list. If you need an SLA for other products, we would have to include them additionally within an enterprise license.
How do you process new vulnerabilities?
Our moderation team os monitoring 24/7 different sources on the Internet. This includes web sites, code repositories and exploit markets on the Darknet.
Whenever a new advisory, exploit, upgrade or patch has been found, the data is reviewed to determine if it is a new vulnerability. If this is the case, a new entry is created in the database. If the data correlates with an older vulnerability, the new data is merged into the existing database entry.
Furthermore, thanks to our community services every registered user has the unique possibility to submit new entries via the web form - Vendors and researchers are using this possibility to propagate their findings quickly.
Do you maintain vulnerabilities without CVE?
We add and maintain all vulnerabilities no matter if they got a CVE assigned or not. Therefore, we are able to introduce additional value to the general CVE stream.
Furthermore, we are approved by the CVE program as a CVE Numbering Authority (CNA) and by NIST NVD as an Authorized Data Publisher (ADP). This allows us to assign CVE identifiers and to maintain CVE entries.
As a global vulnerability database we are in the unique position to be not limited by a scope like vendor CNAs or regional CNAs. Therefore, we are also allowed to assign CVEs to popular products which might be handled by vendors or other CNAs as long as this is aligned with the official CNA Rules.
How do you handle user submissions?
Registered users have the unique possibility to submit new entries or to edit existing entries on the web site. All submits, commits and comments are stored in a queue which is processed by the VulDB moderation team.
If a submission is correct, it will be accepted and added to the service. If the data is wrong then the submission will be rejected with a reason.
How do you maintain old entries?
The VulDB moderation team is eager to update existing entries. This might happen because the ongoing monitoring identifies new information regarding a known vulnerability.
But we are always processing a certain amount of existing entries to determine if the information is still up-to-date. This consequent updating of old entries is quite unique among vulnerability databases.
What kind of Service Level Agreement do you provide?
We provide a basic Service Level Agreement (SLA) regarding service availability, vulnerability processing, community moderation, and support handling. An extended SLA may be negotiated as part of a commercial license agreement.
How can I report a bug or issue in VulDB?
We are eager to improve to provide the best possible experience for our users. If you have found a technical issue or a security vulnerability in one of our services we are happy to know about it. Please check our bug bounty program for contact possibilities, rewards, and requirements.
Risk Rating
Do you provide a risk rating?
We provide multiple risk rating indicators:
- own risk rating (low, medium high)
- CVSSv2 CVSSv3 Base and Temp scores by VulDB, Vendor, Researcher and NVD
- unique CVSSv3 Meta score
- unique exploit price calculation
- unique cyber threat itelligence scoring
- additional risk ratings by other sources (e.g. tools, vendors, databases)
Do you provide CVSS scores?
We guarantee a VulDB score (none of our entries has no score) which includes CVSSv3/CVSSv2 and Base/Temp. We provide additional vectors and scores from different sources which includes but is not limited to:
- VulDB (guaranteed by us, always includes a confidence level)
- Vendor
- Researcher
- NVD
How do you calculate your own CVSS scores?
We are using standardized internal guidelines to provide quality assurance for scoring.
How do you calculate your exploit prices?
We are using an unique algorithm based on monitoring, observations, and statistical models.
How may we buy/sell exploits?
We do not buy/sell exploits. Please consider contacting a vulnerability broker specialized in such services.
Cyber Threat Intelligence
How does CTI work?
Our approach of Cyber Threat Intelligence (CTI) is unique.
The CTI team is monitoring activities of actors. This includes but is not limited to sources like web sites, social media, forums, and darknet markets. These activities are logged, classified, and analyzed. This leads to a CTI Interest Score (0.00-10.00) for a vulnerability and a CTI Activity Score (0-1000) for an actor.
The relationshop between actors, primarily different countries, is analyzed to determine political tensions. This leads to a geopolitical Attack Probability Score which helps to determine emerging threats and ongoing attacks.
Who is eligible for CTI information?
Some basic threat intelligence information is available on the web site for free. Some advanced data, statistics, and features require a dedicated purchase.
API
How may I use the API?
The API is accessible via web, expects HTTP requests and uses JSON/XML for responses.
When do my API credits reset?
The API consumption calculation is a moving window. If you exceed your limit, you have to wait until some of your earlier access attempts become older than 24 hours before you can do new requests.
Therefore, the reset does not happen at a specific time. As we have customers all around the world there would not be an ideal time to do such a reset. We would then have to expect a high peak of requests after such a generic reset as all customers would gain new credits at the same time. To distribute the requests we decided to implement a moving window.
What happens with unused API credits?
You purchase a certain amount of usable API credits per day. If this day passes, your unused API credits expire. It is not possible to collect credits and stack them for future consumption.
How may I increase the amount of API credits?
You are able to purchase additional API credits. We provide different pricing models to match the individual needs of our customers.
How many API credits are recommended?
This depends on your use case. On a regular they there are up to 150 new vulnerabilities published per day. If you want to do a steady vulnerability monitoring, 200 API credits would be sufficient to handle the normal stream.
But there are days, especially patch days of big companies like Microsoft and Oracle, which generate sometimes more than 400 new entries per day. To handle such peaks in real-time we recommend 600 API credits per day.
If you want also to fetch all daily updates of existing entries, there are 200 API credits per day additionally recommended.
Some clients, especially enterprise customers, have the task to investigate and analyze older entries. In such cases we recommend 800 or more API credits. Our enterprise license is the perfect fit for this requirement.
Alerting
Do you provide an alerting service?
We provide a variety of alerting mechanisms:
- API
- Mail Alert
- CTI Alerts
- RSS Feeds
How do API alerts work?
You are able to access the API with custom queries to get the latest issues affecting our product landscape. This can be done with extended search queries, custom alert filter, and collections (enterprise customers only).
How do mail alerts work?
You are able to enable and maintain your own mail alert in your user profile. Adding products (vendor and product name) will provide custom views and alerting capabilities. If one of your defined products has a new vulnerability, a mail alert is sent once a day to your defined mail address. This helps you to stay up-to-date without having the need to visit the web site on a regular basis.
How do CTI alerts work?
You agree upon a coverage and cadence of CTI monitoring services. Whenever a new observation is made, a quick report is sent to you. We distinguish between Alerts (new identification, forecasting included) and Infos (verification of existing disclosures, forecasting included).
Vendor Participation
How may we support VulDB as a vendor?
We appreciate all kind of community, researcher, and vendor support. We maintain good contacts to have a fruitful exchange of vulnerability and threat intelligence data.
As a vendor you may submit new vulnerabilities as quickly as possible to keep the defensive community and your user base as informed as possible. You may also edit and enrich existing entries to help gain good data quality.
If you want to automatically feed your product and vulnerability data to VulDB, please contact us to discuss the possibilities (e.g. automated imports, API uploads).
How may we add a vendor statement to an entry?
As a vendor your have the possibility to submit an official statement which will be added as such to an entry. This makes it possible to mention results of your quality testing, insights of threat analysis, and suggestions for countermeasures.
How may we delete a vulnerability on VulDB as it hurts our reputation?
One of the aspects of VulDB is the documentation of vulnerabilities. If such were disclosed, discussed, and added to the database, there is no good reason why we would delete such information. Even if an entry is old it might be of interest for historians.
It is important for us to document vulnerabilities as fair and accurate as possible. If you partially or fully disagree with an entry, you have the following possibilities:
- If the information is wrong or outdated, we encourage you to edit the entry to keep it up-to-date.
- If you disagree with a disclosure or technical details of an entry, you are able to submit an official statement which will be added to the entry.
- If you have something to add otherwise, you may use the community comment feature of the available entries.
- If you think the core issue of an entry is non-existent, you may flag it as disputed with an edit.
- If you can prove that an entry is a false-positive, we will flag it as such (the entry remains online for documentation purposes if other sources list it too).
- If you can prove that an entry is a false-positive and VulDB is the only source, we will delete the entry.
Contact
How may I contact you for further inquiries?
In any case please contact our support team via the online form on the web site. They will reply or delegate your request to the responsible department or team. This does also apply for media inquiries (e.g. expertise, interviews).
Uppdaterad: 26/05/2024 förbi VulDB Documentation Team