Vulnerability Databases#

Reference of vulnerability identifier schemes (CVE, CWE, CPE, CVSS, EPSS, etc.) and the databases / advisories the operator consults during triage, scanning, and threat-modeling.

For threat-actor TTPs, see MITRE ATT&CK. For threat- intel feeds, see CTI Sources. For bug bounty disclosure, see Bug Bounty Programs.

Identifier schemes#

Scheme

Notes

CVE

Common Vulnerabilities and Exposures; MITRE-coordinated; CVE Numbering Authorities (CNAs) issue IDs (CVE-YYYY-NNNNN).

CWE

Common Weakness Enumeration; bug-class taxonomy (CWE-79 = XSS, CWE-787 = OOB write, CWE-89 = SQLi). CWE Top 25.

CPE

Common Platform Enumeration; product / version naming (cpe:2.3).

CVSS v2 / v3.1 / v4.0

Common Vulnerability Scoring System; 0.0-10.0 severity.

EPSS

Exploit Prediction Scoring System; 0.0-1.0 probability of exploitation in next 30 days; updated daily; FIRST.org.

SSVC

Stakeholder-Specific Vulnerability Categorization; CISA-CMU decision-tree alternative to CVSS.

KEV

CISA Known Exploited Vulnerabilities catalog; mandates US federal patching deadlines.

VEX

Vulnerability Exploitability eXchange; CycloneDX + OpenVEX + CSAF VEX; “is my product affected”.

CSAF

Common Security Advisory Framework; OASIS standard for vendor advisories.

PURL

Package URL spec for cross-ecosystem package identification.

GHSA

GitHub Security Advisory ID.

RHSA / DSA / USN

Red Hat / Debian / Ubuntu security advisory IDs.

MS-CVE / MSRC

Microsoft advisory IDs.

ICSA

ICS-CERT advisory ID (CISA).

ICSMA

Medical-device advisory ID.

CVE / NVD / OSV#

Database

Notes

NVD

NIST National Vulnerability Database; CVE + CVSS + CPE + CWE enrichment; standard US source (slow since 2024 backlog).

CVE.org

MITRE-managed CVE list; CNA-fed; faster than NVD lately.

CISA KEV

cisa.gov/known-exploited-vulnerabilities-catalog; binding for US Federal.

EUVD

EU Vulnerability Database (ENISA); launching to align with NIS2.

CNNVD

China National Vulnerability Database; CN MSS-aligned; sometimes leads disclosure.

JVN

Japan Vulnerability Notes; JPCERT/CC + IPA.

KISA / KrCERT

South Korean.

BDU FSTEC

Russian.

OSV.dev

Google OSS Vulnerability database; per-ecosystem; precise affected ranges (semver).

GHSA

GitHub Security Advisories; powers Dependabot; also published to OSV.

GitLab Advisory DB

GitLab.

Snyk Vulnerability DB

Snyk’s curated database.

Mend Vulnerability D B

Mend (WhiteSource); commercial.

Sonatype OSS Index

OSS-focused.

VulDB

Commercial; fast publishing; some criticism.

Vulners

Commercial aggregator.

exploit-db

Offensive Security; PoC + exploits archive.

0day.today

Commercial 0day market.

Packet Storm

Long-running advisory + exploit archive.

Vendor advisory feeds#

Vendor

Feed

Microsoft

MSRC; MAPP; Patch Tuesday (2nd Tuesday); .NET, Edge, Office.

Apple

support.apple.com/security; per-device-class advisories.

Google

Android security bulletin (1st Mon); Chrome release blog.

Adobe

PSIRT.

Oracle

CPU (Critical Patch Update; quarterly).

Red Hat

RHSA + RHBA; Errata.

Debian

DSA + DLA (LTS).

Ubuntu

USN; LTS extended security maintenance.

SUSE

SUSE-SU.

VMware (Broadcom)

VMSA.

Cisco

PSIRT.

Juniper

JSA.

Palo Alto

PAN-SA.

Fortinet

FG-IR.

F5

K-articles.

Citrix

CTX articles.

Pulse Secure / Ivanti

KA articles.

Atlassian

security.atlassian.com.

Apache

cve@apache.org.

Eclipse

projects.eclipse.org/security.

PHP

php.net/security.

Linux kernel

syzkaller / linux-distros / oss-security mailing list.

Mozilla

MFSA.

HashiCorp

hcsec.

GitLab

gitlab.com/gitlab-org/cves.

Atlassian

security advisories.

Scanners#

Tool

Vendor

Notes

Nessus

Tenable

The de-facto enterprise scanner.

Qualys VMDR

Qualys

Cloud + agent.

Rapid7 InsightVM

Rapid7

Nexpose-derived.

Tenable.io / .sc

Tenable

Cloud + on-prem.

OpenVAS / Greenbone

Greenbone

OSS + commercial.

Nuclei

ProjectDiscovery

Template-based; community-curated.

Nikto

OSS

Web vuln scanner.

sslyze / testssl.sh

OSS

TLS posture.

trivy

Aqua

Container / IaC / SBOM / OS package CVE scan.

grype

Anchore

SBOM-aware CVE scan.

clair

Quay

Container scanner.

SBOM-vuln-scan

Various

Cyclonedx / SPDX SBOM ingest.

Wiz / Lacework / Orca

Various

CSPM + CWPP including CVE.

Microsoft Defender

Microsoft

MDC for Cloud + Vulnerability Mgmt.

GitHub Dependabot

GitHub

Dependency CVE alerts.

Renovate

Mend

Multi-platform.

SBOM formats#

Format

Notes

SPDX 2.3 / 3.0

ISO/IEC 5962; Linux Foundation; the gov-favored format.

CycloneDX 1.5 / 1.6

OWASP; the developer-favored format; rich VEX support.

SWID

ISO/IEC 19770-2; software ID tags.

in-toto attestations

Supply-chain attestation framework; sigstore + SLSA.

Operator notes#

  • CVSS is severity, not risk, combine with EPSS + KEV + asset criticality + reachability for prioritization.

  • NVD enrichment lag since Feb 2024 has been months; fall back to vendor + GitHub + Vulners + EUVD.

  • CISA KEV is the most operator-actionable signal of in-the-wild exploitation; subscribe.

  • EPSS top 1% identifies the ~30 CVEs/day actually worth panicking about.

  • VEX statements (CycloneDX VEX, OpenVEX, CSAF VEX) let vendors say “we ship X but it’s not exploitable here”; the missing piece for SBOM-driven scanners.

  • Reserved CVEs (RESERVED status), placeholder numbers; details follow disclosure.

  • Wormable / pre-auth RCE in internet-facing software (Exchange, Confluence, Citrix, Ivanti, SAP, MOVEit) gets weaponised in days; have a playbook.

  • Don’t trust scanner severity blindly, false positives on package CVEs are common; container scanners are noisy for known-not-exploitable CVEs without VEX context.

References#