Why VulnDB HQ?

What is VulnDB HQ?

VulnDB HQ is a platform that lets your organization create and manage a private repository of vulnerability descriptions that can be used to easily generate reports for your customers.

In addition to your private repository you get access to the Public repository that contains entries for some of the most common security issues.

But, we already have a wiki/word document/in-house application to manage our vulnerability descriptions!

This is a great first step, to recognize the value of managing a central repository of issues that can be reused across reports.

However, wikis or static documents are not the best fit for the job. VulnDB HQ is built with the needs of the security specialist in mind: collaboration is built-in, content is structured and always at hand, the Public repository is kept up-to-date with the latest developments in the industry, etc.

Finally, if you are a security company and have built an in-house application to manage your repository, you can still benefit from switching to VulnDB HQ. Our core business is to provide you with a simple solution that lets you service your customers without interruptions. We implement new features, fix problems and keep the Public repository up-to-date so you don't have to allocate time and resources to keep your backend systems up and running.

VulnDB HQ is developed by Security Roots, and this is our vision of the industry.

Consistent and up-to-date issue descriptions across reports

As the team grows, one of the most common challenges faced by management is to ensure the consistency of the deliverables.

With VulnDB HQ you can rest assured that the same high-quality issue description will be provided to your customers every time.

Collaboration

Having a static issue description that never gets updated is not very useful. In VulnDB HQ you can easily manage and keep up-to-date all your vulnerability descriptions.

VulnDB HQ also comes with peace of mind: all changes are tracked and can be reverted.

Fast reports

VulnDB HQ provides a powerful API to ensure it can be used with your existing systems and reporting tools.

If you currently do not use any reporting tool, VulnDB HQ integrates out-of-the-box with Dradis Professional Edition and the Dradis Framework so you can start producing professional reports straight away.

The Public repository

When you sign up for VulnDB HQ not only you get your own private repository, where your team can keep a list of issue descriptions, you also get access to the Public repository.

The Public repository contains dozens of issue descriptions ready for you to use. We add new issues every month and keep the existing ones up-to-date with the latest developments in the industry.

You can create a private copy of a public entry and adjust it to your needs. And you get notified if the public entry is updated after your forked it.

Tour: The Public repository

Hold on a second... aren't vulnerability descriptions very sensitive stuff?

Full vulnerability descriptions including details that can lead to exploitation are indeed a sensitive business.

However, VulnDB HQ is a platform to store the boilerplate descriptions and recommendations associated with the issues, not the specifics of every instance.

Our proposed workflow would be:

  1. Create a new entry (or copy it from the Public repo). For instance: “DOM-based cross-site scripting”.
  2. If you find an instance of this issue during a security review:
    1. Copy the entry from VulnDB HQ in your report or your reporting tool (e.g. Dradis Pro or Dradis Framework)
    2. Adjust the template with the specifics of this instance (e.g. “It affects the /modules/search page...”)
  3. If someone spots a typo or wants to add a new reference, just save you changes in VulnDB HQ and they will be there for you next time.

As you can see, the only really sensitive information here is in step 2.b and this only happens in your laptop.