News and Updates
Warning: Old RSS and JSON feeds have been discontinued as of November 15
Old RSS (/vulnerability-feed.php) and JSON (/json-feed.php) feeds are no longer available.
Subscribe to access new RSS feeds and APIs.
Changelog
New
- February 3, 2025:
- Introduced "Potential exploits", e.g unverified exploit PoC code published at github or similar sources.
- Changed "Exploit exists" labels to "Public exploit" which means that an easy to use, productized exploit such as a Metasploit module, is available.
-
Introduced a new exploitExists status value, 2, for CVEs.
From now on, API responses may return one of the following values for exploitExists field:- 0: Exploit information is not available
- 1: Public exploit. An easy to use productized exploit such as a Metasploit module or an exploit published at exploit-db.com is avalable
- 2: Potential exploit. Unverified exploit code or sample code/commands are available. If both a public exploit and a potential exploit exists for a CVE then the exploitExists value will be set to 1.
- 1: Same behavior as before, response will include only CVEs with public exploits
- 2: Response will include only CVEs with potential exploits
- 3: Response will include CVEs with either public exploits or potential exploits
-
December 18, 2024:
- Added remediation information for CVEs obtained from vendor advisories, see Remediations links on CVE pages
- Added supplementary affected product information obtained from vendor advisories to CVE details pages (in addition to CPE information)
- Added /api/v1/vulnerability/list-by-vendor-issued-id API endpoint which can be used to query CVEs by vendor specific ids such as model numbers, serials and similar, utilizing data obtained from vendor advisories. Vendor specific ids may not be available for all CVEs and products.
- Added /api/v1/vulnerability/supplementary-affected-products API endpoint which can be used to query affected product information obtained from vendor advisories for CVEs
- Added /api/v1/vulnerability/remediations API endpoint which can be used to query remediations for CVEs
- Added CISA IT and OT advisories in CSAF format. (More CSAF sources will be added gradually)
-
October 3, 2024:
- Added Taxii, STIX version 2.1 support
- Added PDF, html and json reports/exports for SBOM analysis results. Reports and exports will be generated at the end of an analysis process and will contain data available at that point in time. When viewing results (e.g discovered CVEs) using the UI, live data at the time of viewing will be used which may lead to differences between PDF/html exports and live data. For example EPSS scores in the PDF report will be the EPSS scores available at the time of analysis but when viewing discovered CVEs using the UI, current EPSS scores will be displayed.
- Added "Logs" link for SBOM analysis, which can be used to view a brief summary of SBOM processing logs
- Added metadata from the processed SBOM file to analysis process description
- Added /vulnerability/epss-changes API endpoint which can be used to query a list of CVEs with EPSS score changes
- Added /vulnerability/timeline API endpoint which can be used to query the timeline for a CVE
- September 9, 2024: Added webhook/callback option to alerts, besides emails.
- August 25, 2024: Added /api/v1/vulnerability/important-cves API endpoint which can be used to query CVEs with exploit existence status changes or EPSS score changes or CISA KEV added dates. This endpoint can be used to for example query CVEs with high risk changes (added to CISA KEV, EPSS score changed or exploit discovered) since the previous day. Also added new parameters to /api/v1/vulnerability/search endpoint.
- August 24, 2024: Added Nuclei templates data, allowing users to view Nuclei templates related to CVEs.
- August 21, 2024: Added "New Issues" links to SBOM analysis results which will only return new issues compared to the previous analysis run.
- August 19, 2024: Added /api/v1/data/data-type-constants API endpoint which returns a list of dataType constants used in some API responses.
- Added /data/{dataGuid}/relations endpoint which can be used to query related data, for example exploits which can be used to exploit a CVE.
- July 27, 2024: Add Ubuntu, Chainguard and Wolfi ecosystems to open source vulnerabilities.
- July 16, 2024: Added CVE risk score information to /api/v1/vulnerability/info responses.
- July 1, 2024: Added SBOM analysis support.
- May 12, 2024: Added printer friendly styles hiding headers, footers and similar items and providing a better layout for printed pages.
-
March 13, 2024: Moved Tech Stack menu item from the main menu to the user menu (right above Logout).
A new version of the tech stack functionality which will allow users to create multiple tech stacks has been added.
The new functionality is available to Business and Enterprise plan customers only,
tech stack functionality will remain the same for other users including Pro plan customers.
Business and enterprise customers only:Existing tech stack data has been migrated to new a tech stack named "Default". Users who had created Alerts and/or RSS Feeds for tech stacks need to review existing Alerts and RSS feeds.
- March 13, 2024: Added is in CISA KEV and is used for ransomware parameters for RSS feeds.
- February 24, 2024: Added ransomware utilization information to CVEs (i.e whether the CVE is known to have been leveraged as part of a ransomware campaign or not).
Added
isUsedForRansomware
parameters to various vulnerability API endpoints. - February 06, 2024: /api/v1/vulnerability/list-by-cpe endpoint now supports searching by product CPE (without version information).
- January 20, 2024: Added automatic CVE-product associations. CVEs will be automatically associated with products when possible without waiting for manual analysis.
Initial product assignments may not be available for all CVEs or might not be 100% accurate.
Auto-generated initial assignments will be removed once manually curated product information is available.
Some versions might appear to be "0" in automatic assignments, "0" is used as a placeholder when exact version information is not available. CVEs will be associated with
products and vendors as usual even when the version number seems to be "0".
CVEs might be associated with multiple products with similar names, this is intentional to be on the safe side, i.e instead of failing to generate an alert
we prefer to be generating an extra alert.
In case of multi-product matches, such as an operating system and application with the same name, CVEs will be associated with all potential matches.
This will be fixed after manual analysis.
Update January 26, 2024: Improved product matching and fixed bugs leading to invalid/unfiltered version strings, duplicate product matches. - January 6, 2024: Add email alerts for CVEs affecting products/versions in tech stack
- December 29: UI updates. Various changes to visual elements. Please hard refresh (typically achieved by clicking the refresh button while holding down the shift key) your browser if you notice any UI or layout problems.
- December 23: Added product risk scores (beta), product search and product info APIs.
- December 12: Added tech stack dashboard, providing statistics and insights about your tech stack. Also changed tech stack layout, separating products and versions.
- December 8: Added tech stack/inventory API endpoints. Added export to tsv option and API examples to tech stack vulnerabilities.
- December 4: Added RSS feeds for tech stack and labels. Also added the ability to search for vendor, products, version in the RSS feed form, making it more convenient to create RSS feeds.
- December 4: Added filtering options to tech stack vulnerabilities
- November 26: Added online payments for Pro and Business plans.
-
November 14:
- Added item labels which can be used to add custom labels to items such as CVEs, products, versions etc.
- Added item notes (look for icons), users can now add notes to items such as CVEs, products, versions etc.
- Added tech stack functionality allowing users to add products and/or versions to their tech stack/inventory. Tech stack reporting and alerting will be added in upcoming releases.
- November 5: Added risk scores for CVEs. This feature is in beta status and may change. See CVE-2023-36812 for an example.
- November 5: CVE details pages will display warnings when the CVE affects a product discovered on the user's attack surface.
- October 22: Added Open Source Vulnerability data from https://osv.dev. Users will have easy access to many new types of information.
Changed
- September 25, 2024: Only the most recently created 3000 versions of a product will be processed. Statistics and version vulnerabilities will not be updated for older versions. Alerts and RSS feeds will not function for those versions either. This only affects a few products including Linux Kernel and Chrome which have over 3000 different known versions. CVEs can still be queried by CPEs for older versions.
- August 16, 2024 : Changed paging for vulnerability listing pages.
- March 13, 2024 : Renamed CVE data source from "NVD CVEs" to "CVE Data". NVD CVEs name was used for historic reasons and did not reflect the current CVE processing implementation.
- March 13, 2024 : Business and Enterprise plan customers have been migrated to the new version of tech stack functionality.
-
February 24, 2024 : The way CVE assigners are displayed and stored were changed.
A small number of entries (e.g Jetbrains and Usom.gov.tr) were deprecated to remove duplicate entries.
Other assigners were not impacted by this change.
Going forward, organization names will be displayed on various pages instead of email addresses (e.g Apache Software Foundation instead of security@apache.org),
and vulnerability search API responses will include an additional field named
assignerSourceName
containing the organization name. - February 24, 2024 : Added an option to allow users skip login confirmation page.
- February 24, 2024 : Enabled deep linking, i.e users will be redirected to the page that they were trying to access after login. For example when an anonymous user clicks a link that requires authentication, the user will be redirected to the login form and after authentication the user will be redirected to the original link url, instead of the home page.
- February 24, 2024 : N/A will be displayed instead of 0.0 when a score is not available.
- October 11: Changed ipAddressList parameter for /api/v1/threat-intel/my-asi-ip-cpes endpoint to "comma separated string" type to make it more convenient for users
- October 22: Alerts configured with ASAP option will be processed once every hour and only one email per 24 hour window will be sent. Because emails were being marked as spam and were not reaching users.
Fixed
- December 23: Fixed a bug causing some vendors to be incorrectly marked as deprecated. Fixed a bug causing "null" strings to appear in some nessus plugin descriptions.
- December 8: Fixed a bug causing Remove buttons to be shown for items not in tech stack.
- December 4: Fixed an issue causing configured EPSS scores to be miscalculated in RSS feeds and causing the feed to return some CVEs that would not match the configured EPSS score criteria. No change is needed in existing feed configurations.
- November 4: Fixed an issue causing some alert emails to fail.
- October 22: Fixed an issue preventing cc addresses for alerts from receiving emails.
- October 15: Fixed an issue affecting vendor, product, version statistics and recalculated all statistics and relations. Alert processing was skipped for this period to prevent excessive alerts.
- October 12: The issue preventing users from viewing IP details
- October 12: A javascript error causing some pages to fail to render properly
- October 11: A minor issue causing RSS feed urls to return an empty response
- October 11: A minor issue affecting editing alerts. If no end date is selected it will default to December 31 of next year.
- October 10: A minor issue affecting alerts.
December 2023 release
- Public beta period ended by the end of November
- Free trial accounts will no longer have access to Attack Surface pages (except Tech Stack)
- Online payments are now available for Pro and Business plans
October 2023 release
- Membership and sign in: Users can now log in using their SecurityScorecard accounts. If you don't have a SecurityScorecard you can create one for free.
- Vulnerability intelligence: We have added extended vulnerability intelligence capabilities to the platform and will continue to add more. Registered users can now access advisories, source code changes, exploits, CVSS scores from different sources and much more besides CVEs.
- RSS feeds: Users can create custom RSS feeds (old feeds will be discontinued by the end of 2023)
- API access: New APIs are now available. Users can query CVEs and all related data using APIs (more endpoints to be added). (Old json feeds will be discontinued by the end of 2023)
- Threat overviews: For products and CVEs, which can be detected remotely over the internet, threat overviews will be displayed on product dashboard and CVE details pages.
- Attack surface intelligence: Attack surface summaries extracted from SecurityScorecard Attack Surface Intelligence for domains of registered users, this feature will be available by mid-October.
- Product and version deprecation information: Product and/or versions can be deprecated due to name changes, acquisitions or other reasons such as typos. We are now extracting deprecation information from NVD CPE data and letting users know if a product or version is deprecated, providing a link to the replacement.
- Email alerts
- Open source vulnerabilities from osv.dev
- Risk scores for CVEs
- Tech stack
August 2023
- CVE processing, adding version range and CVSS v3 support
- CISA KEV data
- EPSS data
- Metasploit modules
- Full-text search in CVE data
- Version matches
- Search by CPE
- CVE assigners, sources
No longer available
- Bugtraq data: Bugtraq is no longer available
- MS security bulletin data: Old MS security bulletin format was discontinued by Microsoft and old MS security bulletin data is available for historical purposes only. Existing urls will continue to work but no new data will be added.
Other known issues
- Missing vendor, product and versions: The old version contained a small number of duplicates and/or incorrect data which were removed during the migration to the new version. A small number of old vendor, product, version urls might have changed (especially the ones with non-alphanumeric characters in their names) or may no longer be available. Please update your bookmarks accordingly.