With the hope that someone finds the data useful, we're publishing an archive of almost all of the non-sensitive vulnerability information in our vulnerability reports database.
In 1998, CERT fielded a system to track vulnerability reports, coordinate with vendors, and publish advisories. This system was designed to support what is now known as "responsible" or "coordinated disclosure." Over the years, we collected a lot of vulnerability information, from a variety of public sources as well as private direct reports. Some of those reports were deemed important enough to analyze further, coordinate with vendors, and publish as vulnerability notes. Many of the reports were never published, even though they were already public. Seeing little value in collecting reports and doing little or nothing with them, we stopped in late 2008.
Today, there are reasonably good sources of public vulnerability information, such as CVE, NVD, Secunia, OSVDB, JVN, SecurityFocus, and X-Force. Our data archive isn't likely to substantially add to the information already provided by these sources. Nonetheless, we're publishing what we can, with the hope that someone finds some utility in it.
- Our system is a document database (IBM Lotus Notes), not a relational database.
- There are ~41K vulnerability reports with a few consistent fields: ID, title, a couple dates, maybe a URL. Less than 10% of those reports contain further information. Even fewer reports have been published as vulnerability notes.
- The archive contains ~23K vendor records. Vulnerability reports and vendor records are separate; you can join them using the vulnerability ID.
- When performing any analysis using this data, please remember that it is largely inconsistent and incomplete.
We officially do not provide support for the archive, but we may be able to answer questions and consider feedback as resources permit. Send email to firstname.lastname@example.org and include the tag INFO#365908 in the subject.