Cyber folk: what are some of your fav, public tools or APIs (doesn't necessarily have to be "free") for getting info about CVEs? opencve? vulnrichment? cvemap? vulncheck? nvd? cvedetails? others?

@hrbrmstr ngl I forgot cvedetails. I want to like CVE.org but it lacks an obvious "This CVE is in the KEV Catalog" cc: @todb like NVD has with a "date added" column

@hrbrmstr https://vulnerability.circl.lu/ ;-)

https://vulnerability.circl.lu/doc

full open source, open data and open api.

@screaminggoat heh. I kind of LOL'd that the CVE 25th anniversary report had no actual CVEs in it, too. It was a tad hard on the eyes, too.

@hrbrmstr

tbh my go to is a combination of NVD, and searching Google, The Bad Place™, Mastodon, and occasionally Feedly (if you use https://feedly.com/cve/CVE-2021-44228 for example)

@screaminggoat @hrbrmstr @todb I think while obviously incomplete, @attackerkb is great, and it includes info about active exploitation too. Also cvedetails, yes.

@screaminggoat oh @ntkramer made me spend a gagillion $ on Feedly's threat intel feature for the team. It's a big crutch for him ;-)

@hrbrmstr @ntkramer tfw when people pay a subscription on website that I search using a free account 😏

@screaminggoat @ntkramer oh, you're just getting a tiny bit of what's behind the curtain. it's well worth the $ for us.

@hrbrmstr @ntkramer after a while, all of the CVE ID numbers blend together. When I started mentioning CVEs on Mastodon, I eventually decided that I wanted to see "fast facts" for myself:

• the CVE with a link to a resource like CVE.org or NVD
• the CVSS (and version) score
• when the CVE ID# was first publicly known/announced
• when it was actively exploited/added to the KEV Catalog
• the official description for the vulnerability to include the vendor/software and possibly CWE

Plus all of that information decked out in links. That's how I've been writing out CVEs on Mastodon and I hope others enjoy that presentation.

@screaminggoat @hrbrmstr Security Scorecard has been a very capable custodian for CVEDetails.

I dream of an ADP (that gets its own JSON bucket in the cve.org feed) and all they do is manage media and research references - and archives them along the way to defend against C&Ds/defunding/mergers.

Software archeology will be important. Wasn’t that a thing in the Culture series? Or am I thinking of Verner Vinge’s series?