Tools: Vulnerability & Threat Intelligence
1. Introduction
Effective vulnerability management requires manufacturers to continuously monitor the security landscape for new threats and vulnerabilities that may impact their products.
For a detailed explanation of the compliance requirements for vulnerability handling and disclosure, see our guide on Coordinated Vulnerability Disclosure (CVD).
2. Build vs. Buy: A Clear Choice
You cannot "build" the primary sources of vulnerability intelligence like the NVD or CISA's KEV Catalog. The only choice is how to consume and analyze this data.
The "build" approach involves pulling raw data from dozens of public and private feeds, then developing a sophisticated in-house engine to deduplicate, correlate, and enrich this information to make it relevant to your products. This is a massive and continuous data engineering challenge.
For most organizations, the clear choice is to buy a commercial threat intelligence platform. These services do the hard work of aggregating and analyzing the raw data, providing you with a curated, prioritized, and actionable feed of intelligence that is directly relevant to your product portfolio. This allows your team to focus on remediation, not data engineering.
3. Intelligence Sources & Platforms
The resources listed here are the authoritative sources for this intelligence. They provide the databases, feeds, and platforms that manufacturers must monitor to track new CVEs in their dependencies, understand which vulnerabilities are being exploited in the wild, and meet their regulatory obligations.
| Resource | Type | Description |
|---|---|---|
| NVD (National Vulnerability Database) | 🐙 | The U.S. government's repository of standards-based vulnerability management data. This is the foundational source for most CVE information. |
| CISA Known Exploited Vulnerabilities Catalog | 🐙 | A curated list of vulnerabilities that are known to be actively exploited in the wild. This is a critical resource for prioritizing patching. |
| GitHub Advisory Database | 🐙 | A database of security advisories related to open-source projects hosted on GitHub. |
| Open Source Vulnerabilities (OSV) | 🐙 | A distributed vulnerability database and automation infrastructure for open-source projects, maintained by Google. |
| Exploit-DB | 🐙 | A publicly available archive of exploits and vulnerable software, maintained by Offensive Security. |
| FIRST.org EPSS | 🐙 | Home of the Exploit Prediction Scoring System (EPSS), an open, data-driven effort for estimating the likelihood that a software vulnerability will be exploited. |
| Recorded Future | 💰 | A commercial threat intelligence platform that provides real-time data and analysis on vulnerabilities, threat actors, and attack trends. |
| Mandiant Threat Intelligence | 💰 | Commercial intelligence services from Google Cloud, offering deep expertise on threat actors, malware, and attack campaigns. |
| HackerOne | 💰 | A vulnerability coordination and bug bounty platform that connects businesses with penetration testers and cybersecurity researchers. |
| Finite State | 💰 | A product security platform that enriches its vulnerability findings by correlating data from over 200 threat intelligence sources. |
| GreyNoise | 💰 | A threat intelligence service that collects and analyzes internet-wide scan and attack traffic to help filter out internet "noise". |
Type: 💰=Commercial, 🐙=Open-Source