Have you heard about vulners.com?

Vulners.com is a new search engine for security content.

Vulners.com searching engine

Guys from vulners.com collect vendor security bulletins, lists of vulnerabilities found by researchers,  content of open vulnerability and exploit databases, posts on hack forums and even detection rules from vulnerability scanners. They investigate dependencies among all this entities and provide fast and efficient searching interface. Moreover, you can even automate searching process with Vulners Search API. All for free!

Vulners.com 'Heartbleed' search results

You can read Russian translation of this post on seclab. I can also recommend a great article “Vulners.com, a Shodan of vulnerability data” by Denis Gorchakov.

Why might you need it?

1. Well, obviously you can use it for searching phrases in security content,

Various filters are available: bulletin type, CVSS Score, date.

Vulners.com Searching Filters

Bulletin type (27 different  types):

Vulners.com Security Bulletin Types

Common Vulnerability Scoring System (CVSS) Score (0-10):

Vulners.com CVSS Score filter

You can sort results by publish date and CVSS Score:

Vulners.com Order by filter

Some more “order by” options that not described here: modified – date of modification, bounty – the size of bug bounty reward.

Date filters:

Vulners.com Date filter

So, we can produce request “type:centos cvss.score:10 order:published” only by clicking on the filters:

Vulners.com CentOS vulnerabilities request

2. You can use this instrument to get relevant information about particular vulnerability. On which platform it exists, how it could be exploited, how it could be patched on different platforms, what security experts are talking about this vulnerability on hack forums. And all this will be updated on regular bases fully automatically.

Searching CVEs related to Heartbleed “type:cve Heartbleed“:

Vulners.com Heartbleed CVE-2014-0160 responce

Detailed description with vulnerable software versions and links to related entities:

Vulners.com detailed description with vulnerable software versions and links to related entities

By the way, this line of icons in the upper right corner is a graphical representation of CVSS vector and base score, for example CVSS v2 Base Score 7.2 (HIGH) (AV:L/AC:L/Au:N/C:C/I:C/A:C):

Vulners.com CVSS indicator

3. Using vulners.com you can easily describe your IT department why vulnerabilities you found with vulnerability scanner are dangerous and should be patched. You can find exploits available for this vulnerabilities by CVE number or other IDs. Not only the fact that vulnerability is exploitable, but see full code of exploit.

Searching for exploits “CVE-2014-0160 type:exploitdb“:

Vulners.com CVE-2014-0160 exploits searching

Detailed exploit description and source code:

Vulners.com exploit description

4. Maybe you are from HR and you looking for the best pentester or ethical hacker. Try to search your candidate on vulners.com. You can find what vulnerabilities he has reported and how lucky he was on bug bounty programs. And if you are that guy you can add this link to your resume by yourself 😉

Searching for person with sorting by bug bounty reward size “isox order:bounty“:

Vulners.com Bug Bounty program search example

5. If you are doing pentests you can easily find exploits for the particular platform. Are you interested in examples of real SQL injections or vulnerabilities that were found, for example, on Vimeo? Easy! All to inspire you and make your job more efficient.

Windows 10 exploits “type:exploitdb windows 10“:

Vulners.com Windows 10 exploits

SQL injections from hackerone “type:hackerone sql injection“:

Vulners.com SQL injections from hackerone searching

Vimeo vulnerabilities from hackerone “type:hackerone Vimeo“:

Vulners.com Vimeo vulnerabilities searching

And much much more. If you know a good use case feel free to write it in comments bellow.

2 thoughts on “Have you heard about vulners.com?

  1. Pingback: Vulners.com search API | Alexander V. Leonov

  2. Pingback: PCI DSS 3.2 and Vulnerability Intelligence | Alexander V. Leonov

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.