Vulnerability Data Archive

With the hope that someone finds the data useful, we're publishing an archive of almost all of the non-sensitive vulnerability information in our vulnerability reports database.

In 1998, CERT fielded a system to track vulnerability reports, coordinate with vendors, and publish advisories. This system was designed to support what is now known as "responsible" or "coordinated disclosure." Over the years, we collected a lot of vulnerability information, from a variety of public sources as well as private direct reports. Some of those reports were deemed important enough to analyze further, coordinate with vendors, and publish as vulnerability notes. Many of the reports were never published, even though they were already public. Seeing little value in collecting reports and doing little or nothing with them, we stopped in late 2008.

Today, there are reasonably good sources of public vulnerability information, such as CVE, NVD, Secunia, OSVDB, JVN, SecurityFocus, and X-Force. Our data archive isn't likely to substantially add to the information already provided by these sources. Nonetheless, we're publishing what we can, with the hope that someone finds some utility in it.

You can access the archive on the CERT website. For details about the archive, please see the README. We list a few high-level points below:

Our system is a document database (IBM Lotus Notes), not a relational database.
At the time of writing, there are ~41K vulnerability reports with a few consistent fields: ID, title, a couple dates, maybe a URL. Less than 10% of those reports contain further information. Even fewer reports have been published as vulnerability notes.
The archive contains ~23K vendor records. Vulnerability reports and vendor records are separate; you can join them using the vulnerability ID.
When performing any analysis using this data, please remember that it is largely inconsistent and incomplete.

We officially do not provide support for the archive, but we may be able to answer questions and consider feedback as resources permit. See our Contact Us page.

Software Engineering Institute

SEI Blog

Vulnerability Data Archive

Art Manion

July 11, 2012

PUBLISHED IN

CITE

TAGS

SHARE

Written By

Art Manion

Author Page

Digital Library Publications

Send a Message

More By The Author

Comments on Voluntary Voting System Guidelines 2.0 Principles and Guidelines

June 14, 2019 • By Allen D. Householder, Deana Shick, Jonathan Spring, Art Manion

Coordinated Vulnerability Disclosure for DoD Websites

April 2, 2018 • By Art Manion, CERT Insider Threat Center

Vulnerability Equities

November 15, 2017 • By Art Manion

Comments on BIS Wassenaar Proposed Rule

July 22, 2015 • By Allen D. Householder, Art Manion

Anatomy of Java Exploits

January 15, 2013 • By Art Manion, David Svoboda

More In CERT/CC Vulnerabilities

UEFI: 5 Recommendations for Securing and Restoring Trust

June 26, 2023 • By Vijay S. Sarvepalli

Vultron: A Protocol for Coordinated Vulnerability Disclosure

September 26, 2022 • By Allen D. Householder

UEFI – Terra Firma for Attackers

August 1, 2022 • By Vijay S. Sarvepalli

Probably Don’t Rely on EPSS Yet

June 6, 2022 • By Jonathan Spring

The Latest Work from the SEI: Coordinated Vulnerability Disclosure, Cybersecurity Research, Cyber Risk and Resilience, and the Importance of Fostering Diversity in Software Engineering

September 6, 2021 • By Douglas Schmidt (Vanderbilt University)