Vulnerability databases are platforms that collect, maintain and share information about software and system vulnerabilities. These databases can be public or private and are often maintained by security researchers, governing bodies, or security vendors. In this article, you will learn how vulnerabilities are scored, and discover six notable and frequently updated vulnerability databases.
Why Do You Need Vulnerability Databases?
Vulnerability databases help you stay up-to-date on current threats to your systems and software. Without these tools, it would be entirely up to you to identify and manage vulnerabilities. Databases take this work off your plate and provide you with relevant, actionable information.
Some specific benefits of vulnerability databases include:
MITRE is an organization that runs one of the largest databases, called Common Vulnerabilities and Exposures (CVE). This database compiles information from a range of open-source and proprietary products and makes the information available to the public.
MITRE also creates and sets standards for vulnerability identification and tracking. It also assigns vulnerabilities scores based on the Common Vulnerability Scoring System (CVSS). The listings that MITRE maintains serve as the foundation for many vulnerability scanners and databases.
CVE is a well-known standard for vulnerability databases. CVE is also used to refer specifically to the ID number that this database uses. This number is also commonly referred to as a “CVE name”, "CVE number", or "CVE Identifier". These numbers are assigned to vulnerabilities directly by MITRE or by MITRE approved organizations.
CVEs are unique identifiers assigned to specific vulnerabilities. The format of a CVE ID follows a standard format of CVE-YYYY-NNNN, where Y represents the year a vulnerability is made public and N the count of vulnerabilities in that year.
Each CVE is also assigned a specific status, indicating the stage of the vulnerability. These statuses include:
Top 6 Vulnerability Databases
There are many vulnerability databases out there that you can choose from, depending on your specific industry and tooling. Ideally, you should monitor and incorporate information from multiple databases to ensure the greatest vulnerability coverage. The following databases are some of the best sources to include.
1. National Vulnerability Database (NVD)
NVD is a vulnerability database that cooperatively operates with MITRE. Although the MITRE database and NVD are separate entities, both are sponsored by the U.S. Department of Homeland Security.
When MITRE releases vulnerability information, it only contains an ID and a short description. NVD takes this information and performs a security analysis to add information and recommendations to each entry. NVD also assigns a score indicating how serious a vulnerability is and the priority you should give to the issue.
2. Vulnerability Lab
Vulnerability Lab is an open-source database maintained by WhiteSource, a security vendor. It aggregates vulnerability data from a variety of sources, including NVD. Each vulnerability entry includes information about relevant languages, vulnerability type, exposure volume, severity level, and remediation suggestions. To locate vulnerabilities, you can search by project name or CVE.
3. Vulnerability Assessment Platform (Vulners)
Vulners, a security vendor, offers one of the largest correlated vulnerability and exploit databases available. It integrates data from more than 70 sources and includes search engine features similar to Google (News - Alert). Each database entry contains vulnerability IDs, definitions, and severity scores.
4. Vulnerability Database (VulDB)
VulDB is a community-driven, open-source vulnerability database. It includes entries for known vulnerabilities in any electronic product. Each entry includes ID information, vulnerability scores, and remediation steps. VulDB also includes current and historic vulnerability trends which security teams can use to predict and anticipate threats.
5. CVE Details
CVE Details is a free vulnerability database that incorporates data from NVD as well as other sources, such as Exploit Database. It includes an easy to use interface and search capabilities that enable you to locate vulnerabilities by ID, date, vendor, or type. Each entry includes information on IDs, vulnerability scores, access methods, complexity, and remediation steps.
6. BugTraq (BID)
Although not a true database, BugTraq is a source of vulnerability data that you should not overlook. BID is a high-volume mailing list that includes detailed discussions and announcements for a wide range of vulnerabilities and threat intelligence. It is widely used by security researchers and teams and is one of the most comprehensive sources for up-to-date information on a variety of security topics.
Vulnerability databases can help you identify vulnerabilities and prioritize according to risk level. You can use information from the database when creating strategies for codebase security, when running automated scans and policies, and when applying prioritizing remediation. With the information gleaned from the databases, you can figure out the proper response to threats.
Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP (News - Alert), Samsung NEXT, NetApp and Imperva, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership.LinkedIn (News - Alert): https://www.linkedin.com/in/giladdavidmaayan/