Licensing Appendix
The Vulnetix Vulnerability Database aggregates data from 160+ upstream sources. Each record is served with its origin tagged, and the upstream source’s licence terms apply to that record’s content. This appendix groups sources by their redistribution terms.
Vulnetix does not assert a proprietary licence over community/open vulnerability data. Our model is pass-through: upstream content is served as-is, tagged with its source. Vulnetix-authored enrichment fields (proprietary analysis, malware linkage, safe harbour scoring) are clearly distinguished and covered by commercial terms only.
Public Domain / US Government Works
US government publications are not subject to copyright under 17 U.S.C. § 105. Redistribution is unrestricted.
CC-BY 4.0 / CC-BY-SA
Creative Commons Attribution licences. Redistribution permitted with attribution to the original source.
- MITRE CVE (CC0 for CVE IDs; CC-BY for descriptions)
- GHSA
- GHSA (OSV)
- EUVD
- ENISA EU KEV
- Open Cloud Vulnerability DB (CC-BY 4.0)
- circl (CC-BY 4.0)
- CERT-UA (CC-BY 4.0)
- CERT-EU (CC-BY 4.0)
- ENISA CSIRT (CC-BY 4.0)
- ACSC Alert (CC-BY 4.0 — © Commonwealth of Australia)
- deps.dev Packages (CC-BY 4.0)
- Python PSF Advisory Database (CC-BY 4.0)
- Go Advisory (OSV)
- RustSec Advisory
- PyPI Advisory
- Haskell Advisory
- OCaml Advisory
- RConsortium Advisory
- Global Security Database
CC0 / Open Data
Public domain dedication or equivalent open data terms. No restrictions on redistribution.
CC-BY-NC-SA / Non-Commercial
Creative Commons Attribution-NonCommercial-ShareAlike. Redistribution permitted for non-commercial purposes only; derivatives must use the same licence.
- VARIoT (CC-BY-NC-SA-4.0 — EU-funded IoT project; commercial redistribution prohibited)
Apache 2.0 / MIT / Open Source
Standard open source licences. Redistribution permitted under licence terms.
- SigmaHQ (DRL / MIT)
- ProjectDiscovery Nuclei (MIT)
- Rapid7 Metasploit Framework (BSD)
- Emerging Threats ET Open (BSD — SIDs 2000000–2099999; GPL — SIDs 2100000–2103999)
- Chainguard Security Data
- Wolfi Security Data
- in-toto (Apache 2.0)
- Docker Hardened Images (Apache 2.0)
- Gemnasium Advisory (GitLab)
- Google Open Source Intelligence (Apache 2.0 — osv.dev platform)
- Bitnami Advisory (Apache 2.0)
- Zero Science Lab (GPLv3)
- OpenSSF Scorecard (CDLA Permissive 2.0)
Vendor Terms — Redistribution Generally Permitted
Vendor-published advisories where redistribution is permitted or implied through public RSS/CSAF feeds. Attribution required.
- Red Hat Security Errata
- Cisco CVRF
- ABB CSAF
- SUSE CSAF
- Open-Xchange CSAF
- Schneider Electric (SEVD-)
- Microsoft MSRC
- Chromium Security
- Mozilla Security
- Tailscale Security Bulletin
- ISC Advisory
- Binarly Advisory
- CERT BUND CSAF
- CERT-CC — Carnegie Mellon; non-commercial redistribution free; commercial use requires permission
- CERT-FR
- CERT-AT
- CERT-LV
- CERT-CA (Open Government Licence — Canada)
- NCSC-FI
- Canonical/Ubuntu Advisory
- Debian Security Advisories
- Alpine SecDB
- AlmaLinux Advisory
- RockyLinux Advisory
- Oracle Linux
- AWS Amazon Linux 1 (EOL)
- AWS Amazon Linux 2
- AWS Amazon Linux 2023
- Azure Linux (3.0)
- Photon Security Advisories
- Arch Linux Issue Tracker
- Gentoo Bugzilla Security
Vendor Terms — Redistribution Restrictions Apply
Sources with explicit redistribution limitations. Data may be available for informational use but redistribution requires review.
- NCSC-NL CSAF — "No rights derivable (informational use)"
- NCSC-NL Nieuwsberichten — "No rights derivable" applies to news articles as well
- CERT-JP Advisory — Notification required for redistribution
- CERT-BE — Redistribution of copyrighted material requires prior written permission from Centre for Cybersecurity Belgium
- CNVD Advisory (China) — Proprietary; bulk export prohibited
- FSTEC BDU (Russia) — Government restricted
- Siemens CSAF — Subject to Siemens website terms; explicit commercial redistribution not permitted without authorisation
- SAP NetWeaver — Customer-only access terms
- D-Link Firmware — Vendor terms apply
- OpenBSD — BSD licence; advisory text terms vary
- ExploitDB — OffSec; website terms explicitly prohibit reproducing, duplicating, or reselling any portion without written permission
- AttackerKB — Rapid7 proprietary; redistribution rights reserved by Rapid7
- HackerOne Hacktivity — Authenticated API subject to HackerOne ToS (non-sublicensable, non-transferable); see also Implicit / No Stated Licence for the unauthenticated public GraphQL data we use
- Shadowserver — Data redistribution and resale prohibited per Shadowserver terms
Commercial / Membership Required
Sources requiring paid subscription, membership, or commercial licence agreement. Data availability may vary by tier.
- VulnCheck NVD++
- VulnCheck KEV
- VulnCheck XDB
- Snyk
- Veracode SourceClear
- Wiz Vulnerability Database
- Shodan Sightings
- GreyNoise
- Vulners
- 0day.today
- Cyber Threat Alliance — Membership-based; restricted to members
- Spamhaus
- CrowdSec
- Tenable Security Advisories
- WPScan — Vulnerability database; non-commercial API free (25 req/day); commercial use requires paid licence
- AusCERT — Membership-based; advisory access restricted to members
Third-Party Scores — Attributed
Publicly available scoring systems surfaced with attribution. Redistribution confirmation pending from respective owners.
- Coalition ESS — Exploit Scoring System by Coalition Inc. Redistribution confirmation pending.
- EPSS — Exploit Prediction Scoring System by FIRST.org. Redistribution confirmation pending.
Implicit / No Stated Licence
Sources published via RSS feeds or public web pages without explicit redistribution terms. Our position is that publishing an advisory feed constitutes an implicit licence to consume and aggregate for the purpose it was published.
- SICK PSIRT Advisory
- Nozomi Networks PSIRT
- Defiant Wordfence
- Patchstack
- Source Incite
- WLB
- Wiz Cloud Advisories
- CXSecurity Exploit
- Packet Storm Security
- Vulnerability Lab
- Knownsec Seebug
- Bugcrowd CrowdStream — IP assigned to Bugcrowd by researchers per Standard Disclosure Terms (irrevocable, exclusive, sublicensable); CrowdStream is an opt-in public activity feed served via unauthenticated JSON endpoint; disclosed reports are published with programme owner consent under Coordinated Disclosure policy; robots.txt unrestricted; no explicit API redistribution licence stated
- HackerOne Hacktivity (public disclosures) — IP owned by the reporter (Finder) per HackerOne Finder Terms; publicly disclosed via unauthenticated GraphQL endpoint with no stated redistribution licence; robots.txt unrestricted
- Google Project Zero
- ProtectAI Huntr
- Trend Micro Zero Day Initiative
- GitHub PoC Repos/Gists
- Bluesky Mentions — public AT Protocol firehose; commercial aggregation may require Bluesky PBC agreement
- Fediverse Mentions — ActivityPub protocol permits federation; redistribution terms vary by instance
- X.com Mentions
- References Enrichment
- Anchore ADP
- CleanStart Advisory
- opensourcemalware.com
- Drupal Advisory
- Mageia Advisory
- End-of-Life
- bpkg
- SANS ISC
- TALOS
- CERT-SE
- CSIRT-ITA
- CERT-PT
- CERT-IL
- CERT-TW
- Android Security Bulletins — Google/AOSP content licence; bulletin text terms not explicitly stated
- Linux Kernel CVE — Linux CNA; no explicit data redistribution licence stated
OSV ecosystem package-level advisories (npm, Maven, NuGet, crates.io, Hex, Packagist, Pub, RubyGems, SwiftURL, R CRAN/Bioconductor, curl, git, GitHub Actions, and others) follow the terms of their upstream advisory database — typically GHSA (CC-BY 4.0) or Google OSV (Apache 2.0).
This appendix reflects our current understanding of upstream licence terms as of April 2026. Source licences may change. For the latest terms, refer to each source directly. Sources with redistribution restrictions are being reviewed by legal counsel.