Such as CVE, NVD and more. Data derived from these resources is analysed, tested and enriched, before being included in the database.
Comprehensive and actionable open source vulnerability dataSchedule a Demo
Comprehensive security coverage
The Snyk database goes far beyond CVE vulnerabilities and includes many additional non-CVE vulnerabilities that are derived from several sources
Snyk regularly wins head to head comparisons to other vendors and finds many more vulnerabilities not detected by others
Snyk exposes many vulnerabilities before they are added to public databases. On Average, Snyk publishes vulnerabilities 92 days sooner than NPM Audit.
1. Enriched data from over 10 vulnerability databases
2. Dedicated proprietary research for new vulnerabilities:
Our Security team is working to uncover severe vulnerabilities in key components.
A recent disclosure by our team is Zip-Slip.vulnerabilities were discovered by proprietary research during 2018
4. Community relationship:
Snyk collaborates with the community and operates bug bounties for new disclosures. This activity results in hundreds of community disclosures, such as f2e-server.
5. Collaboration with academia:
The team partners with PhD academia labs such as Berkeley, Virginia Tech and Waterloo, to exchange tools, methods and data. Findings are then exclusively disclosed by Snyk
(See here Virginia Tech study with Snyk).vulnerabilities disclosed by academia labs during 2018
Team of security experts
The Snyk security database is managed by a team of experts, researchers and analysts ensuring the database maintains a high level of accuracy with a low false-positive rate.
The team is headed by Snyk’s co-founder, Danny Grander, a veteran security researcher. Previously, Danny built cyber solutions for government agencies, led vulnerability research and managed research and development teams. Danny is a competitor and frequent winner of CTF at DefCon, CCC CTF, Google CTF.
Thanks to the team at Snyk, the database authority was validated by the leading security institutes: Snyk was appointed as a CVE numbering authority, it is a member of the Node Foundation security membership group and a contributing member of OWASP.
Curated, enriched and actionable content
- A detailed vulnerability description is offered including: hand-curated content and summaries, including code snippets were applicable.
- All items in the database are analyzed and tested for their accuracy (version ranges, vulnerable method, etc).
- CVSS score and vector are assigned to 100% of vulnerabilities.
- In 20% of vulnerability instances, upgrading a vulnerable package is too disruptive or is not possible
- Snyk can uniquely extends the remediation coverage by offering its precision patches.
- These patches are developed and rigorously tested in collaboration with the package owner
- Snyk backports the original fix to all applicable historical versions, without introducing breaking changes.
- Vulnerable functions called in runtime
For issue prioritization, Snyk is able to alert when a vulnerable function is actually being called during the runtime of the application.
Snyk indicates when a vulnerability has a published proof of concept of how it can be exploited Published exploit code serves as a good indicator of exploitability because it enables attackers to easily weaponize a vulnerability.
Powering security across the ecosystem
Powering Google Chrome
Powering Microsoft Sonar
Powering vulnerability scanning in NodeSource N|Solid and Certified Modules
Powering vulnerability scanning for Anchore Enterprise
“We didn’t trust the security coverage provided
by the previous solution was comprehensive enough, which later comparing to Snyk was indeed clear”
Top-tier players are choosing to be protected by Snyk, validating the quality of the coverage Snyk provides