TL;DR
Traditional CVE-based vulnerability tracking is no longer enough for modern application security. This post walks through how developer and security teams can build a true vulnerability intelligence strategy by integrating commercial, open source, and vendor-specific data sources—automating aggregation, dealing with fragmented data, and handling real-world risk prioritization.
Table of Contents
- Introduction
- Why Going Beyond CVE Matters for Developers
- The CVE Foundation & Its Gaps
- Enriching with NVD and CVSS
- Commercial & Open-Source Vulnerability Feeds
- Vendor & OSS Advisory Channels
- Emerging Automation and Scoring Trends
- Building a Multi-Source Pipeline: Architecture
- Integration Challenges & Practical Solutions
- Discussion Point
- The Human Element & Next Steps
- Conclusion
- Resources
Introduction
Ever discovered a critical bug in production, searched CVE/NVD, and found… nothing? Weeks later, someone links a niche GitHub advisory or obscure vendor bulletin—long before a CVE number existed. As defenders, we can’t afford to wait for official listings, nor can we rely on one source.
Developers building, securing, or maintaining modern applications must adopt a holistic vulnerability intelligence pipeline if they want to stay on top of "silent" security threats.
Why Going Beyond CVE Matters for Developers
- Apps depend on hundreds of open source, cloud, and third-party components—many with vulnerabilities never assigned a CVE.
- Exploits often surface before official advisories.
- Real-world attackers mine overlooked sources, such as GitHub advisories or vendor mailing lists.
If your tooling only tracks CVEs, you will miss critical issues, especially those affecting dependencies or newer tech stacks.
The CVE Foundation & Its Gaps
CVE stands for Common Vulnerabilities and Exposures and is the Internet’s universal vulnerability index—think “social security numbers for security flaws.” Each CVE entry includes:
- Unique ID (e.g.,
CVE-2025-1234) - Short description
- Reference links
But CVEs are limited:
- No severity scores
- No exploitation info
- No remediation guidance
- Lag in assignments (weeks or months)
Enriching with NVD and CVSS
The NIST National Vulnerability Database (NVD) builds on CVE, adding:
- Common Vulnerability Scoring System (CVSS) scores
- Attack vector analysis
- Impact assessments
Limits: CVSS provides prioritization, but still lacks exploitability context and can be delayed by slow CVE publication.
Commercial & Open-Source Vulnerability Feeds
Commercial Intelligence:
- Risk Based Security VulnDB—tracks 200K+ vulns (vs. ~180K in CVE), including many with NO CVE.
- Exploit Database—collection of real-world exploits and POCs.
Open Source Databases:
- GitHub Security Advisories: Fast, but fragmented across thousands of repositories.
- Google OSV (Open Source Vulnerabilities): Maps vuln data to code commits—ideal for dependency management in large OSS projects.
Vendor & OSS Advisory Channels
Major vendors (e.g., Microsoft, Adobe, Oracle) publish their own advisories, often containing:
- Patch timelines
- Exploit mitigations
- Unique identification independent of CVE
Why it matters: Some vulnerabilities are only ever disclosed via these channels.
Emerging Automation and Scoring Trends
Key Trends Reshaping Vulnerability Intelligence
- Automated code scanning: Static/dynamic scanners (e.g., Snyk, Dependabot) catch issues pre-CVE.
- Supply chain focus: Dependency tracking (e.g., SBOMs) reveals hidden risks.
- AI/ML prediction: Algorithms flag likely vuln-prone code before formal advisory publication.
Next-Gen Scoring
- EPSS (Exploit Prediction Scoring System): Probability a vuln will be exploited in 30 days.
- SSVC (Stakeholder-Specific Vulnerability Categorization): Decision-tree model—prioritize based on exploitability, exposure, and utility.
Building a Multi-Source Pipeline: Architecture
To build a comprehensive vulnerability intelligence pipeline, aggregate data from multiple sources such as:
- CVE APIs
- NVD feeds
- Commercial databases like VulnDB
- Open source advisories from GitHub Security Advisories and Google OSV
- Vendor advisories (RSS or JSON)
These inputs feed into an aggregation layer, which then deduplicates and correlates vulnerability information from different formats and identifiers. Following aggregation, a risk scoring engine (utilizing CVSS, EPSS, SSVC, and exploitability context) processes the vulnerabilities to prioritize them. Finally, alerts or dashboards present actionable intelligence to developers and security teams so they can respond effectively.
Popular tools worth considering:
- Grype
- OSV-Scanner
- Custom orchestration (e.g., Airflow, Jenkins, or security orchestration platforms)
Integration Challenges & Practical Solutions
Problem:
- Multiple data formats (JSON, XML, RSS)
- Inconsistent IDs (CVE vs. GHSA vs. vendor IDs)
- Different update cadences and coverage
Solutions:
- Prefer APIs for real-time updates
- Use mapping tables or fuzzy matching for cross-referencing IDs
Build connectors that normalize data to a unified schema
Use platforms like DefectDojo or VulnWhisperer
Discussion Point
How does your team currently aggregate vulnerability data from multiple sources? What practical tools, APIs, or custom solutions have you found effective (or challenging) when correlating advisories across formats and ecosystems?
The Human Element & Next Steps
Don’t go full auto—machines aggregate, humans prioritize:
- Security engineers determine exploit likelihood, business impact, and mitigation strategy.
- Build relationships with OSS maintainers and vendor PSIRTs for early warning.
- Regularly audit for gaps in your current vulnerability intelligence sources.
Conclusion
Sticking to CVE/NVD is like driving with one eye closed. As the threat landscape evolves, so must our vulnerability intelligence approach. Developers and security teams need an automated, multi-source, context-rich pipeline that combines machine efficiency with human judgement—and adapts alongside new tools, standards, and adversary TTPs.
Resources
- CVE Services API
- GitHub Security Advisory API
- Google OSV Database
- Exploit Database
- EPSS Scoring System
This article was adapted from my original blog post. Read the full version here: Beyond CVE: Building a Complete Vulnerability Intelligence Strategy