Service Description¶
The Vilocify service monitors thousands of security sources for vulnerability information affecting components in its database. Vilocify users can use the Vilocify Portal to define monitoring lists in order to proactively alert its subscribers whenever new notifications affecting these components are published. In order to use the Vilocify service optimally, it is important to understand its base concepts and workflows, described in the following.
Component¶
In the context of the Vilocify service, a component can be any piece of software (both open source and commercial off-the-shelf), hardware, or combination thereof. Components can be e.g.
- operating systems like Microsoft Windows 10 or Red Hat Enterprise Linux Server 7
- software libraries like OpenSSL 1.0.2n or GNU Gzip 1.9
- specific hardware like Fujitsu Primergy RX300 S2 Server or Cisco Catalyst 3750 Series Switches
- combinations of hardware and software (when they are provided by the same vendor) like Cisco IOS on Catalyst 2960-XR Series Switches 15.x or Juniper Junos OS on SRX5800 Platform
- cloud components, for which the vendor is releasing security-related information like e.g. Amazon AWS CloudFront
The full list of components currently monitored by the Vilocify service can be found in the components section of the Vilocify Portal, additionally we also offer a REST API. Components in the Vilocify database have (amongst others) the following attributes:
- Vendor: The company, organization, open-source community, or author of the desired component.
- Component Name: The name used to describe the software/hardware component as given by the vendor.
- Version: The specific version of the software/hardware. Additionally, the Vilocify service monitors wildcard components, which group a specific range of versions. For example the wildcard version 2.x monitors all versions between version 2.0 (including) and version 3.0 (not including). Furthermore, All Versions components represent every subsequent version from the time the All Versions component is added to the Vilocify monitoring database.
- URL Link to the official vendor's page for the component.
- Monitored Since: The date since when the component has been added to the Vilocify monitoring service. This means that any vulnerabilities disclosed before that date might not be assigned to that component.
- EOL: End of Life, stating whether support for a component has been discontinued by its vendor. Generally no security updates can be expected for components marked as EOL. Not all vendors provide EOL information for their products. Thus components without an EOL date are not necessarily still supported. Vilocify provides support information on a best-effort basis. Components are marked as EOL only when an official vendor statement exists, meaning that the support status is not automatically derived from e.g. the age of a component or the existence of newer versions.
Components in the Vilocify database are subject to regular reviews and quality checks. While small corrections of single attributes might occur, a registered component will never be updated in such a way that it represents a semantically different one. In case logical duplicate components are detected, one will be deactivated and replaced by the other. All resources (monitoring lists, existing notifications, API responses, etc.) will be automatically updated accordingly.
Component Requests¶
Components are added to the Vilocify database only when they are explicitly requested by our users. If you cannot find the component you need to add to your monitoring list, please request it through our request form or the REST API. The component request is then processed by Vilocify's analysts to ensure the component in the requested version actually exists. If our analysts cannot identify the component, we reject the component request. The more information you provide in your component request the more likely it is that we don't reject it.
Security Notification¶
The Vilocify service constantly monitors thousands of sources (like official vendor advisory pages, vulnerability databases, security mailing lists, commercial security providers, security researcher blogs, etc.) for new vulnerability information. Whenever Vilocify detects vulnerability information affecting any of the components in its monitoring, a corresponding security notification is published. A security notification includes a detailed description of all vulnerabilities fixed in a new vendor patch, version or package for the affected components. We are publishing notifications for every CVE that is published at NVD, thus offering CVE completeness from September 2020 of components that exist in our database. More information regarding our notifications can be found in the corresponding section of the Vilocify Docs.
Most times security notifications are based on official vendor advisories. In cases where no official advisory is available, Vilocify analyzes and processes the available information in order to create a notification.
You can find all notifications published by the Vilocify service in the notification section of the Vilocify Portal, and the Vilocify REST API.
Monitoring List¶
With a huge amount of monitored components and thousands of new notifications each year, not all the information within Vilocify is of interest to every single user. Monitoring lists are the tool with which users can filter only the relevant information, as well as set up alerting functionality via notifications email.
Monitoring list consists of various elements:
- Basic Data: Generic information about the list, e.g. its name, assigned organization, comments, etc.
- Components: A set of components a user wants to monitor, e.g. based on components within a product or IT asset under his responsibility.
- Subscribers: A set of users assigned to the list, who will then receive relevant notifications via email whenever new notifications are published for the monitored components.
Monitoring lists are not public, i.e. a Vilocify user can only see lists he is subscribed to. Only admins can see all monitoring lists of their organization, regardless of whether they are subscribed to the list or not. Users can create as many monitoring lists as needed, e.g. in order to reflect IT assets under their responsibility. For additional guidance on how to create a monitoring list, please consult the corresponding Vilocify Docs page. Furthermore it is possible to define parent-child dependencies between monitoring lists. Notifications affecting a child monitoring list will be included in the notifications email of the subscribers of the parent monitoring list. These dependencies can only be defined by the Tenant Admin of the organization the monitoring lists are assigned to. You can find all monitoring lists you are assigned to either in the monitoring list section of the Vilocify Portal, or the Vilocify REST API.
Notifications Email¶
Subscribers of monitoring lists are alerted of relevant notifications via a notifications email. This email is sent once daily and contain all the notifications relevant for the user, grouped by affected monitoring lists. On days where there are no new relevant notifications, users will not receive such an email.
Membership and Organization¶
Memberships and organizations are Vilocify's means of tenant separation on our SaaS offering. In most places memberships and organizations are hidden for normal users. However, they are important concepts for admin users and users of the REST API.
Vilocify organizes is customer in organizations, sometimes referred to as tenants. Once you ordered Vilocify, an organization is created in Vilocify and one person, specified during the ordering process, becomes the admin of the organization. The admins can invite users to their organization with a certain role and expiry date. One user can be in multiple organizations and one user can have multiple roles in one organization.
A membership is a user with a certain role in an organization. Vilocify internals often don't operate on a user directly, but on the membership (e.g. a subscriber of a monitoring list is actually not a user, but a membership). Memberships of one organization cannot access data of other organizations. That's the reason why you need to select a membership during the login to Vilocify.
Definitions and Abbreviations in the Context of the Vilocify Service¶
| Term | Description |
|---|---|
| Advisory | Vendor published statement on a validated vulnerability and instructions how to handle this issue. |
| Component | See description above. |
| COTS | Commercial off-the-shelf: Components / products sold ready to use. These components are not customized. |
| CPE | Common Platform Enumeration: structured naming scheme for IT components provided by NIST National Vulnerability Database (NVD) |
| CVE | Common Vulnerabilities and Exposures: a unique, alphanumeric identifier assigned by the CVE Program, referencing a specific vulnerability |
| CVE completeness | See description above |
| CVSS | Common Vulnerability Scoring System is an open framework for communicating the characteristics and severity of vulnerabilities. |
| EOL | End of Life date, see description above. |
| Monitoring List | See description above. |
| Monitoring List Owner | Subscribers of a monitoring list who have the permission to modify the list, i.e. adding or removing subscribers, adding or removing components, editing its basic data, or deleting the list entirely. |
| Monitoring List Subscriber | User assigned to a monitoring list and will therefore receive notifications emails containing relevant notifications. |
| Notification | See description above. |
| Notifications Email | See description above. |
| OSS | Open-source software: Software (components) from source code that is free available, but not always for free. |
| Security Notification | See description above. |
| Vilocify | Vulnerability Intelligence Service |
| Vulnerability | Weakness of an component (or product) that can be exploited by an attacker |
Vilocify service in figures (status mid of 2023)¶
- 2.000+ monitored sources
- 80.000+ notifications
- 230.000+ components
- CVE completeness since 2021
Privacy Policy¶
Vilocify stores only information required for the proper operation of the service.