Skip to main content

​
Overview

Binarly provides a Vulnerability Database (VDB) as a managed service, eliminating the need for customers to build and maintain their own multi-source vulnerability intelligence pipeline. NVD (National Vulnerability Database) is the primary advisory source. Every other source in this list enriches NVD data by adding language- and package-specific advisories, distribution vendor patches, security research, project-level disclosures, and real-world exploitation intelligence. Together they enable findings to carry accurate severity, exploitability context, and patch status across a wide range of targets. For the best results, VDB sources are matched against the ecosystem configured for each product (e.g. Ubuntu, Red Hat, Debian). This allows the platform to cross-reference distribution-specific patches against the relevant advisory sources, ensuring findings reflect the actual patch state of the scanned environment rather than upstream version numbers alone. Source IDs (e.g. nvd, ghsa, brly) appear in API responses and report exports, allowing findings to be traced directly back to their originating source.

​
Primary Source

SourceIDDescriptionLink
National Vulnerability DatabasenvdThe authoritative U.S. government CVE repository maintained by NIST. Provides the canonical CVE identifiers, CVSS scores, and advisory details that all other sources are correlated against.nvd.nist.gov

​
Language & Package Sources

Language and package-manager-specific advisories provide vulnerability data that NVD alone does not always capture with sufficient detail or timeliness.
SourceIDDescriptionLink
GitHub Security AdvisoriesghsaCurated advisories for open-source packages across many ecosystems, published directly by maintainers and the GitHub Security Lab.github.com/advisories
Rust Security Advisory DatabaserustsecCommunity-maintained advisories for Rust crates, covering vulnerabilities in the crates.io ecosystem.rustsec.org
Python Security AdvisoriespysecAdvisories for Python packages distributed via PyPI.pypi.org
Go Vulnerability DatabasegoThe official Go team vulnerability database covering modules published to the Go module proxy.pkg.go.dev/vuln
Haskell Security AdvisorieshsecCommunity-maintained security advisories for Haskell packages on Hackage, maintained by the Haskell Security Response Team.github.com/haskell/security-advisories
Python Software FoundationpsfSecurity disclosures published by the Python Software Foundation.python.org
R Security AdvisoriesrsecSecurity advisories for CRAN and Bioconductor packages, maintained by the R Consortium in OSV format.github.com/RConsortium/r-advisory-database

​
Distribution Sources

Linux distribution vendors often backport security fixes without changing upstream version numbers. These sources allow Binarly to account for patched packages in version-based detection and reduce false positives.
SourceIDDescriptionLink
Ubuntu Security NoticesusnCanonical’s official security advisories for Ubuntu packages. Used to filter patched vulnerabilities in Ubuntu-based binaries.ubuntu.com/security/notices
Alma Linux Security AdvisoriesalsaSecurity errata for AlmaLinux, a RHEL-compatible distribution.errata.almalinux.org
Red Hat Security AdvisoriesrhsaOfficial Red Hat security errata covering RHEL and related products. (coming soon)access.redhat.com
Rocky Linux Security AdvisoriesrlsaSecurity errata for Rocky Linux, a RHEL-compatible community distribution. (coming soon)errata.rockylinux.org
Debian Security AdvisoriesdebianOfficial Debian security tracker covering stable and LTS releases. (coming soon)security-tracker.debian.org

​
Security Vendor Sources

SourceIDDescriptionLink
Binarly Security ResearchbrlyOriginal vulnerability research produced by Binarly’s REsearch team, including firmware and UEFI disclosures not covered by public databases.binarly.io

​
Project Sources

Direct vulnerability disclosures maintained by widely-deployed open-source projects. These may include additional context or severity assessments that differ from NVD.
SourceIDDescriptionLink
OpenSSL Security AdvisoriesopensslOfficial vulnerability disclosures from the OpenSSL project.openssl.org
cURL Security AdvisoriescurlVulnerability disclosures maintained by the cURL project.curl.se

​
Exploitation Intelligence Sources

These sources provide signals about whether a vulnerability has been actively exploited in the wild or has known public exploit code. They feed directly into risk scoring and reachability analysis, allowing Binarly to surface the highest-priority findings first.
SourceIDDescriptionLink
CISA Known Exploited VulnerabilitiescisaCISA’s authoritative catalog of CVEs actively exploited in the wild. Inclusion is a strong prioritization signal.cisa.gov/kev
FIRST EPSSfirstThe Exploit Prediction Scoring System (EPSS) provides a probability score (0–1) estimating the likelihood a CVE will be exploited within 30 days.first.org/epss
Exploit Databaseexploit-dbOffensive Security’s public archive of exploit code and proof-of-concept write-ups.exploit-db.com
Metasploit Framework ModulesmetasploitIndicates whether a CVE has a weaponized module in the Metasploit penetration testing framework.rapid7.com/metasploit
Nomi Sec PoCsnomi-sec-pocsAggregated proof-of-concept exploit repositories on GitHub, curated by Nomi Sec.github.com/nomi-sec
Nuclei Templatesnuclei-templatesProject Discovery’s library of Nuclei scanner templates, indicating a CVE has a working detection or exploitation template.github.com/projectdiscovery
  • Detection Methods — How Binarly identifies vulnerabilities using version-based and rule-based detection
  • Risk Scoring — How exploitation intelligence sources influence finding priority
  • Reachability — How reachability analysis uses exploitability signals to reduce noise