Vulnerability Database

Comprehensive and actionable open source vulnerability data

Schedule a Demo

Comprehensive security coverage

Beyond CVE/NVD

The Snyk database goes far beyond CVE vulnerabilities and includes many additional non-CVE vulnerabilities that are derived from several sources

%
more vulnerabilities than NVD (public database)
Best coverage in the market

Snyk regularly wins head to head comparisons to other vendors and finds many more vulnerabilities not detected by others

%
i
Based on comparison of scan results of Snyk versus Whitesource and NPM Audit. The scanned projects are: NodeGoat, Spring-boot, thimble.mozilla.org, angular, generator-jhipster.
better database coverage compared to other vendors
First to know & publish

Snyk exposes many vulnerabilities before they are added to public databases. On Average, Snyk publishes vulnerabilities 92 days sooner than NPM Audit.

%
of the vulnerabilities in npm audit were added first to the Snyk database

Database sources

  • 1. Enriched data from over 10 vulnerability databases

    Such as CVE, NVD and more. Data derived from these resources is analysed, tested and enriched, before being included in the database.

  • 2. Dedicated proprietary research for new vulnerabilities:

    Our Security team is working to uncover severe vulnerabilities in key components.

    A recent disclosure by our team is Zip-Slip.

    vulnerabilities were discovered by proprietary research during 2018
  • 3. Threat Intelligence systems:

    Listen to chatter on security bulletins, Jira boards, Github commits etc.; to automatically identify vulnerabilities that have yet to be reported. Previously surfaced vulnerabilities from this source include Apache Airflow and Marked.

  • 4. Community relationship:

    Snyk collaborates with the community and operates bug bounties for new disclosures. This activity results in hundreds of community disclosures, such as f2e-server.

  • 5. Collaboration with academia:

    The team partners with PhD academia labs such as Berkeley, Virginia Tech and Waterloo, to exchange tools, methods and data. Findings are then exclusively disclosed by Snyk
    (See here Virginia Tech study with Snyk).

    vulnerabilities disclosed by academia labs during 2018

Team of security experts

The Snyk security database is managed by a team of experts, researchers and analysts ensuring the database maintains a high level of accuracy with a low false-positive rate.

The team is headed by Snyk’s co-founder, Danny Grander, a veteran security researcher. Previously, Danny built cyber solutions for government agencies, led vulnerability research and managed research and development teams. Danny is a competitor and frequent winner of CTF at DefCon, CCC CTF, Google CTF.

Thanks to the team at Snyk, the database authority was validated by the leading security institutes: Snyk was appointed as a CVE numbering authority, it is a member of the Node Foundation security membership group and a contributing member of OWASP.

Curated, enriched and actionable content

Hand-curated content and enriched metadata:
  • A detailed vulnerability description is offered including: hand-curated content and summaries, including code snippets were applicable.
  • All items in the database are analyzed and tested for their accuracy (version ranges, vulnerable method, etc).
  • CVSS score and vector are assigned to 100% of vulnerabilities.
Remediation with Precision Patches
  • In 20% of vulnerability instances, upgrading a vulnerable package is too disruptive or is not possible
  • Snyk can uniquely extends the remediation coverage by offering its precision patches.
  • These patches are developed and rigorously tested in collaboration with the package owner
  • Snyk backports the original fix to all applicable historical versions, without introducing breaking changes.
%
of vulnerability instance cannot be fixed by an upgrade
K
Snyk precision patches are applied each month
Triage support:
  • Vulnerable functions called in runtime
    For issue prioritization, Snyk is able to alert when a vulnerable function is actually being called during the runtime of the application.
  • Exploitability
    Snyk indicates when a vulnerability has a published proof of concept of how it can be exploited Published exploit code serves as a good indicator of exploitability because it enables attackers to easily weaponize a vulnerability.

Powering security across the ecosystem

Powering Google Chrome

Powering Microsoft Sonar

Powering vulnerability scanning in NodeSource N|Solid and Certified Modules

Powering vulnerability scanning for Anchore Enterprise

“We didn’t trust the security coverage provided
by the previous solution was comprehensive enough, which later comparing to Snyk was indeed clear”

Leif Dreizler
Segment, Security Engineering

Top-tier players are choosing to be protected by Snyk, validating the quality of the coverage Snyk provides