Vulnerability Database Catalog

Description

This catalog initially contains a set of vulnerability databases (VDBs) that were surveyed by the VRDX-SIG to observe differences in identifiers, coverage and scope, size, abstraction and other characteristics. VDBs are loosely defined as sites that provide vulnerability information, such as advisories, with identifiers. Included VDBs are free to access, substantially public, and have broad scope and coverage (not limited to a single vendor or research organization).

Characteristics of each VDB were either provided by survey responses or researched by SIG members. A summary of the survey work was VRDX-SIG: Global Vulnerability Identification at the 2015 FIRST Conference.

The initial set of VDBs was selected to support the survey and is not meant to be comprehensive. The SIG is considering options to add and update entries. Questions or comments can be sent to vrdx-comments@first.org.

Last update: 2016-03-17

Vulnerability Database

AusCERT Security Bulletins

  1. Overview - Name: AusCERT Security Bulletins
    • Maintainer: AusCERT
    • URL
      (en-us) https://auscert.org.au/1
      (en-us) https://auscert.org.au/11045
    • The overwhelming majority of them (ESB) are publicly available and the (ASB) bulletins while are available for AusCERT members only initially are also publicly available after a month.
  2. ID scheme - Number of ID schemes: 2
    • ID format: ASB-{YYYY}.{NNNN}, ESB-{YYYY}.{NNNN} (4 digit year, 4 fixed digits)
  3. CVE (X.1520) - Use of CVE: YES
  4. CWE (X.1524) - Use of CWE IDs: NO
    • Use all CWE IDs or subset: n/a
  5. CVSS (X.1521) - Base Metrics: NO
    • Temporal Metrics: NO
    • Environmental Metrics: NO
  6. CPE (X.1528) - Use of CPE: NO
  7. XML Data Feed - Use of CVRF: NO
  8. VDB contents - Title: YES
    • Description : YES
    • Products Affected: YES
    • Impact: YES
    • Severity: YES
    • Solution: YES
    • Vendor Information: YES
    • References: YES
    • Credit/Finder: NO
    • Available languages: English
    • Search: YES
      https://auscert.org.au/search.html

CERT/CC Vulnerability Notes Database

  1. Overview - Name: CERT/CC Vulnerability Notes Database
    • Maintainer: CERT/CC
    • URL
      (en-us) http://www.kb.cert.org/vuls/
    • The Vulnerability Notes Database provides timely information about software vulnerabilities. Vulnerability notes include summaries, technical details, remediation information, and lists of affected vendors. Many vulnerability notes are the result of private coordination and disclosure efforts.
  2. ID scheme - Number of ID schemes: 1
    • ID format: VU#{NNNNNN} (6 fixed digits)
  3. CVE (X.1520) - Use of CVE: YES
  4. CWE (X.1524) - Use of CWE IDs: YES
    • Use all CWE IDs or subset: all
  5. CVSS (X.1521) - Base Metrics: YES (v2)
    • Temporal Metrics: YES (v2)
    • Environmental Metrics: YES (v2)
  6. CPE (X.1528) - Use of CPE: NO
  7. XML Data Feed - Use of CVRF: NO
  8. VDB contents - Title: YES
    • Description : YES
    • Products Affected: YES
    • Impact: YES
    • Severity: NO
    • Solution: YES
    • Vendor Information: YES
    • References: YES
    • Credit/Finder: YES
    • Available languages: English
    • Search: YES
      http://www.kb.cert.org/vuls/html/search/

CERT-EU Security Advisories

  1. Overview - Name: CERT-EU Security Advisories
  2. ID scheme - Number of ID schemes: 1
    • ID format: CERT-EU Security Advisory {YYYY}-{NNN} (4 digit year, 3 fixed digits)
  3. CVE (X.1520) - Use of CVE: YES
  4. CWE (X.1524) - Use of CWE IDs: NO
    • Use all CWE IDs or subset: n/a
  5. CVSS (X.1521) - Base Metrics: YES (v2)
    • Temporal Metrics: NO
    • Environmental Metrics: NO
  6. CPE (X.1528) - Use of CPE: NO
  7. XML Data Feed - Use of CVRF: NO
    • Use of RSS/Atom: NO
  8. VDB contents - Title: YES

China National Vulnerability Database of Information Security (CNNVD)

  1. Overview - Name: China National Vulnerability Database of Information Security (CNNVD)
    • Maintainer: China Information Security Evaluation Center
    • URL
      (zh-cn) http://www.cnnvd.org.cn/
    • China National Information Security Vulnerability Database, the English name "China National Vulnerability Database of Information Security", referred to as "CNNVD", is maintained by China Information Security Evaluation Center for the effective performance of the functions of vulnerability analysis and risk assessment, responsible for building operation and maintenance of the national information security vulnerabilities library, for our information security to provide basic services.
  2. ID scheme - Number of ID schemes: 1
    • ID format: CNNVD-{YYYY}{MM}-{NNN} (4 digit year, 2 digit month, 3 fixed digits)
  3. CVE (X.1520) - Use of CVE: NO
  4. CWE (X.1524) - Use of CWE IDs: NO
    • Use all CWE IDs or subset: n/a
  5. CVSS (X.1521) - Base Metrics: NO
    • Temporal Metrics: NO
    • Environmental Metrics: NO
  6. CPE (X.1528) - Use of CPE: NO
  7. XML Data Feed - Use of CVRF: NO
    • Use of RSS/Atom: NO
  8. VDB contents - Title: YES
    • Description : YES
    • Products Affected: NO
    • Impact: NO
    • Severity: YES
    • Solution: NO
    • Vendor Information: YES
    • References: YES
    • Credit/Finder: NO
    • Available languages: Chinese
    • Search: YES
      http://www.cnnvd.org.cn/vulnerability

China National Vulnerability Database (CNVD)

  1. Overview - Name: China National Vulnerability Database (CNVD)
    • Maintainer: CNCERT/CC
    • URL
      (zh-cn) http://www.cnvd.org.cn/
    • The main objective, namely to establish CNVD and national government departments, important information system users, operators, major security vendors, software vendors, research institutions, such as the public Internet users together to build unified collection of software security vulnerabilities verification, early warning and emergency release system, and effectively enhance China's overall level of research and the ability to timely prevention security vulnerabilities, thus improving the security of information systems and domestic software, promote the development of domestic security products.
  2. ID scheme - Number of ID schemes: 1
    • ID format: CNVD-{YYYY}-{NNNNN} (4 digit year, 5 fixed digits)
  3. CVE (X.1520) - Use of CVE: YES
  4. CWE (X.1524) - Use of CWE IDs: NO
    • Use all CWE IDs or subset: n/a
  5. CVSS (X.1521) - Base Metrics: YES (v2)
    • Temporal Metrics: NO
    • Environmental Metrics: NO
  6. CPE (X.1528) - Use of CPE: NO
  7. XML Data Feed - Use of CVRF: NO
    • Use of RSS/Atom: NO
  8. VDB contents - Title: YES
    • Description : YES
    • Products Affected: NO
    • Impact: YES
    • Severity: YES
    • Solution: YES
    • Vendor Information: YES
    • References: YES
    • Credit/Finder: YES
    • Available languages: Chinese
    • Search: YES
      http://www.cnvd.org.cn/flaw/list.htm

Common Vulnerabilities and Exposures (CVE)

  1. Overview - Name: Common Vulnerabilities and Exposures (CVE)
    • Maintainer: MITRE
    • URL
      (en-us) https://cve.mitre.org/
    • Common Vulnerabilities and Exposures (CVE®) is a dictionary of common names (i.e., CVE Identifiers) for publicly known information security vulnerabilities.
  2. ID scheme - Number of ID schemes: 1
    • ID format: CVE-{YYYY}-{NNNN...} (4 digit year, Variable length arbitrary digits)
  3. CVE (X.1520) - Use of CVE: YES
  4. CWE (X.1524) - Use of CWE IDs: NO
    • Use all CWE IDs or subset: n/a
  5. CVSS (X.1521) - Base Metrics: NO
    • Temporal Metrics: NO
    • Environmental Metrics: NO
  6. CPE (X.1528) - Use of CPE: NO
  7. XML Data Feed - Use of CVRF : YES (v1.1)
    (en-us) https://cve.mitre.org/cve/cvrf.html
    • Use of RSS/Atom: NO
  8. VDB contents - Title: NO
    • Description : YES
    • Products Affected: NO
    • Impact: NO
    • Severity: NO
    • Solution: NO
    • Vendor Information: NO
    • References: YES
    • Credit/Finder: NO
    • Available languages: English
    • Search: YES
      http://cve.mitre.org/cve/cve.html

Exploit Database

  1. Overview - Name: Exploit Database
    • Maintainer: Offensive Security
    • URL
      (en-us) https://www.exploit-db.com/
    • The Exploit Database is a CVE compliant archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers.
  2. ID scheme - Number of ID schemes: 1
    • ID format: EDB-ID:{NNNNN} (5 fixed digits)
  3. CVE (X.1520) - Use of CVE: YES
  4. CWE (X.1524) - Use of CWE IDs: NO
    • Use all CWE IDs or subset: n/a
  5. CVSS (X.1521) - Base Metrics: NO
    • Temporal Metrics: NO
    • Environmental Metrics: NO
  6. CPE (X.1528) - Use of CPE: NO
  7. XML Data Feed - Use of CVRF: NO
  8. VDB contents - Title: YES
    • Description: YES
    • Products Affected: YES
    • Impact: YES
    • Severity: NO
    • Solution: NO
    • Vendor Information: NO
    • References: NO
    • Credit/Finder: YES
    • Available languages: English
    • Search: NO

ICS-CERT ADVISORY

  1. Overview - Name:
  2. ID scheme - Number of ID schemes: 1
    • ID format: ICSA-{YY}-{DDD}-{NN} (2 digit year, 3 digit day of year, 2 fixed digits)
  3. CVE (X.1520) - Use of CVE: YES
  4. CWE (X.1524) - Use of CWE IDs: YES
    • Use all CWE IDs or subset: all
  5. CVSS (X.1521) - Base Metrics: YES (currently v3, for older issues v2)
    • Temporal Metrics: YES (for some issues - currently v3, for older issues v2)
    • Environmental Metrics: NO
  6. CPE (X.1528) - Use of CPE: NO
  7. XML Data Feed - Use of CVRF: NO
  8. VDB contents - Title: YES
    • Description: YES
    • Products Affected: YES
    • Impact: YES
    • Severity: NO
    • Solution: YES
    • Vendor Information: YES
    • References: YES
    • Credit/Finder: YES
    • Available languages: English
    • Search: NO

Japan Vulnerability Notes (JVN)

  1. Overview - Name: Japan Vulnerability Notes (JVN)
    • Maintainer: JPCERT/CC
    • URL
      (en-us) http://jvn.jp/en/
      (ja-jp) http://jvn.jp/
    • JVN is Vulnerability Handling Coordination DB, which is providing vulnerability countermeasure information and Japanese vendor status for vulnerabilities reported through "Information Security Early Warning Partnership".
  2. ID scheme - Number of ID schemes: 2
    • ID format: JVN#{NNNNNNNN}, JVNVU#{NNNNNNNN} (8 fixed digits)
  3. CVE (X.1520) - Use of CVE: YES
  4. CWE (X.1524) - Use of CWE IDs: NO
    • Use all CWE IDs or subset: n/a
  5. CVSS (X.1521) - Base Metrics: YES (v2)
    • Temporal Metrics: NO
    • Environmental Metrics: NO
  6. CPE (X.1528) - Use of CPE: NO
  7. XML Data Feed - Use of CVRF: NO
  8. VDB contents - Title: YES
    • Description : YES
    • Products Affected: YES
    • Impact: YES
    • Severity: NO
    • Solution: YES
    • Vendor Information: YES
    • References: YES
    • Credit/Finder: YES
    • Available languages: Japanese, English
    • Search: NO

JC3 Bulletin Archive

  1. Overview - Name: JC3 Bulletin Archive
  2. ID scheme - Number of ID schemes: 1
    • ID format: V-{NNN} (3 fixed digits)
  3. CVE (X.1520) - Use of CVE: YES
  4. CWE (X.1524) - Use of CWE IDs: NO
    • Use all CWE IDs or subset: n/a
  5. CVSS (X.1521) - Base Metrics: NO
    • Temporal Metrics: NO
    • Environmental Metrics: NO
  6. CPE (X.1528) - Use of CPE: NO
  7. XML Data Feed - Use of CVRF: NO
  8. VDB contents - Title: YES

JVN iPedia

  1. Overview - Name: JVN iPedia
    • Maintainer: IPA
    • URL
      (en-us) http://jvndb.jvn.jp/en/
      (ja-jp) http://jvndb.jvn.jp/
    • JVN iPedia is Vulnerability Archiving DB, which is providing countermeasure information database for covering overall vulnerabilities.
  2. ID scheme - Number of ID schemes: 1
    • ID format: JVNDB-{YYYY}-{NNNNNN} (4 digit year, 6 fixed digits)
  3. CVE (X.1520) - Use of CVE: YES
  4. CWE (X.1524) - Use of CWE IDs: YES
    • Use all CWE IDs or subset: subset (CWE-635: Weaknesses Used by NVD)
  5. CVSS (X.1521) - Base Metrics: YES (v2)
    • Temporal Metrics: NO
    • Environmental Metrics: NO
  6. CPE (X.1528) - Use of CPE: YES (v2.2)
  7. XML Data Feed - Use of CVRF: YES (v1.1)
    (en-us) http://jvndb.jvn.jp/myjvn?method=getCvrfInfo&lang=en&vulnId=
  8. VDB contents - Title: YES

National Vulnerability Database (NVD)

  1. Overview - Name: National Vulnerability Database (NVD)
  2. ID scheme - Number of ID schemes: 1
    • ID format: CVE-{YYYY}-{NNNN...} (4 digit year, Variable length arbitrary digits)
    • Vulnerability Definition: [more]
  3. CVE (X.1520) - Use of CVE:
  4. CWE (X.1524) [more] - Use of CWE IDs: YES
    • Use all CWE IDs or subset: subset (CWE-635: Weaknesses Used by NVD)
  5. CVSS (X.1521) - Base Metrics: YES (v2)
    • Temporal Metrics: NO
    • Environmental Metrics: NO
  6. CPE (X.1528) - Use of CPE: YES (v2.2/v2.3)
  7. XML Data Feed - Use of CVRF: NO
  8. VDB contents - Title: NO
    • Description : YES
    • Products Affected: YES
    • Impact: YES
    • Severity: YES
    • Solution: NO
    • Vendor Information: YES
    • References: YES
    • Credit/Finder: NO
    • Available languages: English, Spanish
    • Search: YES
      http://web.nvd.nist.gov/view/vuln/search

NCSC-FI Vulnerability Database

  1. Overview - Name: NCSC-FI Vulnerability Database
  2. ID scheme - Number of ID schemes: 1
    • ID format: FICORA #{NNNNNN} (6 fixed digits)
  3. CVE (X.1520) - Use of CVE: YES
  4. CWE (X.1524) - Use of CWE IDs: NO
    • Use all CWE IDs or subset: n/a
  5. CVSS (X.1521) - Base Metrics: NO
    • Temporal Metrics: NO
    • Environmental Metrics: NO
  6. CPE (X.1528) - Use of CPE: NO
  7. XML Data Feed - Use of CVRF: NO
    • Use of RSS/Atom: NO
  8. VDB contents - Title: YES

Packet Storm

  1. Overview - Name: Packet Storm
  2. ID scheme - Number of ID schemes: 1
    • ID format: {NNNNNN} (6 fixed digits)
  3. CVE (X.1520) - Use of CVE: YES
  4. CWE (X.1524) - Use of CWE IDs: NO
    • Use all CWE IDs or subset: n/a
  5. CVSS (X.1521) - Base Metrics: NO
    • Temporal Metrics: NO
    • Environmental Metrics: NO
  6. CPE (X.1528) - Use of CPE: NO
  7. XML Data Feed - Use of CVRF: NO
  8. VDB contents - Title: YES

Rapid7 - Vulnerability & Exploit Database (Metasploit)

  1. Overview - Name: Vulnerability & Exploit Database
  2. ID scheme - Number of ID schemes: 1
    • ID format: {SSSS...} (Variable length arbitrary strings)
  3. CVE (X.1520) - Use of CVE: NO
  4. CWE (X.1524) - Use of CWE IDs: NO
    • Use all CWE IDs or subset: n/a
  5. CVSS (X.1521) - Base Metrics: NO
    • Temporal Metrics: NO
    • Environmental Metrics: NO
  6. CPE (X.1528) - Use of CPE: NO
  7. XML Data Feed - Use of CVRF: NO
    • Use of RSS/Atom: NO
  8. VDB contents - Title: YES
    • Description: YES
    • Products Affected: YES
    • Impact: YES
    • Severity: NO
    • Solution: NO
    • Vendor Information: NO
    • References: NO
    • Credit/Finder: NO
    • Available languages: English
    • Search: YES http://www.rapid7.com/db/search

scip VulDB

  1. Overview - Name: scip VulDB
  2. ID scheme - Number of ID schemes: 1
    • ID format: scipID: {NNNNN} (5 fixed digits)
  3. CVE (X.1520) - Use of CVE: YES
  4. CWE (X.1524) - Use of CWE IDs: NO
    • Use all CWE IDs or subset: n/a
  5. CVSS (X.1521) - Base Metrics: YES (v2)
    • Temporal Metrics: YES (v2)
    • Environmental Metrics: NO
  6. CPE (X.1528) - Use of CPE: YES (v2.2)
  7. XML Data Feed - Use of CVRF: NO
  8. VDB contents - Title: YES
    • Description: YES
    • Products Affected: YES
    • Impact: YES
    • Severity: NO
    • Solution: YES
    • Vendor Information: YES
    • References: YES
    • Credit/Finder: NO
    • Available languages: German, English, French, Italian, Spanish, Polish, Swedish
    • Search: NO
      http://www.scip.ch/en/?vuldb.archiv (Annual Archives)

SecuriTeam

  1. Overview - Name: SecuriTeam
    • Maintainer: Beyond Security
    • URL
      (en-us) http://www.securiteam.com/
    • Having experience as Security Specialists, Programmers and System Administrators we appreciate your need for a "Security Portal" - A central Security web site containing all the newest security information from various mailing lists, hacker channels and our own tools and knowledge.
  2. ID scheme - Number of ID schemes: 1
    • ID format: {SSSSSSSSSS} (10 fixed strings)
  3. CVE (X.1520) - Use of CVE: YES
  4. CWE (X.1524) - Use of CWE IDs: NO
    • Use all CWE IDs or subset: n/a
  5. CVSS (X.1521) - Base Metrics: NO
    • Temporal Metrics: NO
    • Environmental Metrics: NO
  6. CPE (X.1528) - Use of CPE: NO
  7. XML Data Feed - Use of CVRF: NO
  8. VDB contents - Title: YES
    • Description: YES
    • Products Affected: YES
    • Impact: YES
    • Severity: NO
    • Solution: NO
    • Vendor Information: NO
    • References: NO
    • Credit/Finder: YES
    • Available languages: English
    • Search: YES
      http://www.securiteam.com/cgi-bin/htsearch

Security Focus

  1. Overview - Name: Vulnerabilities
  2. ID scheme - Number of ID schemes: 1
    • ID format: NNNNN {5 fixed digits}
  3. CVE (X.1520) - Use of CVE: YES
  4. CWE (X.1524) - Use of CWE IDs: NO
    • Use all CWE IDs or subset: n/a
  5. CVSS (X.1521) - Base Metrics: NO
    • Temporal Metrics: NO
    • Environmental Metrics: NO
  6. CPE (X.1528) - Use of CPE: NO
  7. XML Data Feed - Use of CVRF: NO
    • Use of RSS/Atom: NO
  8. VDB contents - Title: YES
    • Description: YES
    • Products Affected: NO
    • Impact: YES
    • Severity: NO
    • Solution: YES
    • Vendor Information: YES
    • References: NO
    • Credit/Finder: YES
    • Available languages: English
    • Search: YES
      http://www.securityfocus.com/vulnerabilities

SecurityTracker

  1. Overview - Name: SecurityTracker
  2. ID scheme - Number of ID schemes: 1
    • ID format: SecurityTracker Alert ID: {NNNNNNN} (7 fixed digits)
  3. CVE (X.1520) - Use of CVE: YES
  4. CWE (X.1524) - Use of CWE IDs: NO
    • Use all CWE IDs or subset: n/a
  5. CVSS (X.1521) - Base Metrics: NO
    • Temporal Metrics: NO
    • Environmental Metrics: NO
  6. CPE (X.1528) - Use of CPE: NO
  7. XML Data Feed - Use of CVRF: NO
    • Use of RSS/Atom: NO
  8. VDB contents - Title: YES

TippingPoint Zero Day Initiative

  1. Overview - Name: TippingPoint Zero Day Initiative
  2. ID scheme - Number of ID schemes: 1
    • ID format: ZDI-{YY}-{NNN} (2 digit year, 3 fixed digits)
  3. CVE (X.1520) - Use of CVE: YES
  4. CWE (X.1524) - Use of CWE IDs: NO
    • Use all CWE IDs or subset: n/a
  5. CVSS (X.1521) - Base Metrics: YES (v2)
    • Temporal Metrics: NO
    • Environmental Metrics: NO
  6. CPE (X.1528) - Use of CPE: NO
  7. XML Data Feed - Use of CVRF: NO
  8. VDB contents - Title: YES
    • Description: YES
    • Products Affected: NO
    • Impact: YES
    • Severity: NO
    • Solution: YES
    • Vendor Information: YES
    • References: NO
    • Credit/Finder: YES
    • Available languages: English
    • Search: NO

VeriSign iDefense

  1. Overview - Name: Verisign Vulnerability Reports
  2. ID scheme - Number of ID schemes: 1
    • ID format: {NNNN...} (Variable length arbitrary digits)
  3. CVE (X.1520) - Use of CVE: YES
  4. CWE (X.1524) - Use of CWE IDs: NO
    • Use all CWE IDs or subset: n/a
  5. CVSS (X.1521) - Base Metrics: NO
    • Temporal Metrics: NO
    • Environmental Metrics: NO
  6. CPE (X.1528) - Use of CPE: NO
  7. XML Data Feed - Use of CVRF: NO
    • Use of RSS/Atom: NO
  8. VDB contents - Title: YES

WooYun.org

  1. Overview - Name: WooYun.org
    • Maintainer: WooYun
    • URL
      (zh-cn) http://www.wooyun.org/index.php
    • WooYun is a platform between vendors and security researchers to address security issues that allows follow-up and feedback. This platform is provided as public service. Its name comes from the current "cloud" on the Internet.
  2. ID scheme - Number of ID schemes: 1
    • ID format: WooYun-YYYY-{NNNNNN} (6 fixed digits)
  3. CVE (X.1520) - Use of CVE: NO
  4. CWE (X.1524) - Use of CWE IDs: NO
    • Use all CWE IDs or subset: n/a
  5. CVSS (X.1521) - Base Metrics: NO
    • Temporal Metrics: NO
    • Environmental Metrics: NO
  6. CPE (X.1528) - Use of CPE: NO
  7. XML Data Feed - Use of CVRF: NO
  8. VDB contents - Title: YES
    • Description : YES
    • Products Affected: YES
    • Impact: YES
    • Severity: YES
    • Solution: NO
    • Vendor Information: NO
    • References: NO
    • Credit/Finder: YES
    • Available languages: Chinese
    • Search: YES
      http://www.wooyun.org/bugs/