Skip to main content
04/01/2026
Binarly Transparency Platform 3.8.1 ships a redesigned finding details experience, variants management on the finding page, an AI assistant for triage, and CycloneDX SBOM enrichment.
Starting with this release, Binarly ships on a weekly cadence using semantic versioning. Versions follow the format MAJOR.MINOR.PATCH+YYYY.MM.DD, where the build metadata suffix is the release date. The version shown in the platform UI matches this identifier.

Hero Features

  • Finding VariantsUser guide
    • Configure a prioritized list of alternative vulnerability data sources per product. When a matching variant exists, its attributes override the corresponding finding attributes
    • A dedicated Variants tab on the finding details page shows all available variants and their source attribution, with the currently applied variant marked
    • Variant state is reflected consistently across the findings grid, JSON exports, and finding escalations
  • Redesigned Finding Details Page
    • New right side panel shows finding details and key metrics at a glance, without leaving the findings grid
    • Integrated search bar on the finding details page for navigating content across sections
    • Structured information cards for References, Escalations, Notes, Description, PQC Compliance, Structured Data Evidence, Code Listing Evidence, and Finding Instances
    • Reports and Actions menus consolidate report generation and common operations into a single location
    • Copy content menus on finding cards and evidence sections enable quick extraction in Markdown, JSON, or clipboard format

Features

Compliance

  • CycloneDX SBOM Compliance & Enrichment
    • SBOM exports now include CVSS severity, references, variants, and CWE data for each vulnerability
    • Every BOM is assigned a unique URN UUID serial number per the CycloneDX specification
    • CycloneDX metadata now includes the post-build lifecycle phase and the version of the analyzed image

Triage

  • AI Assistant
    • AI Assistant button on the finding page opens the triage drawer with the first contextual suggestion pre-applied. Only shown when suggestions are available
  • SSVC and CVSS Display
    • SSVC metric section on the finding page redesigned for clarity
    • CVSS v4 scores are now formatted and displayed correctly, with the version prefix shown for all CVSS v2/v3/v4 entries

API

  • BA2 Download API
    • New API endpoint for direct download of BA2 analysis archive files; accessible from VulHunt Jupyter notebooks and external workflows
  • Sources Management API
    • New endpoints for listing and editing sources and exposing variant application policy operations for automation workflows

Platform

  • Scope Status Auto-Refresh
    • Scope status indicators on product and finding pages refresh automatically
  • Organization Page Access
    • Organization pages are now read-only accessible to all Org Users, not only via direct link
  • Transparent Platform Versioning
    • The UI now displays the date-based release version for easy correlation with deployment history

VulHunt Community Edition

The Binarly research team launched VulHunt Community Edition alongside this release — an open-source binary vulnerability hunting tool. VulHunt uses dataflow analysis and Weggli-based code pattern matching rather than signature matching or version inference. Write Lua-based rules, scan binaries, and get findings annotated at exact instruction addresses in decompiled code. Supports x86 and ARM (32/64-bit) for POSIX binaries and UEFI firmware.
  • Taint tracking and dataflow analysis for command injection, buffer overflows, and use-after-free
  • Architecture-independent code pattern matching on decompiled output
  • LLM integration via MCP for automated triage and rule generation
  • Integration with Binary Ninja and the Binarly Transparency Platform
Install via one-liner, Docker, or from source on Linux, macOS, and Windows. See vulhunt.re for documentation and rules.