Sightings
Presentation
Users have the possibility to add observations to vulnerabilities with different types of sightings, such as: seen, exploited, not exploited, confirmed, not confirmed, patched, and not patched.
| Type | Description | Negative/Opposite |
|---|---|---|
| seen | The vulnerability was mentioned, discussed, or seen somewhere by the user. | - |
| confirmed | The vulnerability is confirmed from an analyst perspective. | X |
| exploited | This vulnerability was exploited and seen by the user reporting the sighting. | X |
| patched | This vulnerability was successfully patched by the user reporting the sighting. | X |
You can find the corresponding definition of this MISP taxonomy here.
Example
Example of a sighting object:
{
"uuid": "f6ed692b-2656-4ce0-bcf1-eaf12dfe281d",
"vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd",
"author": "8dfa6142-8c6d-4072-953e-71c85404aefb",
"type": "seen",
"source": "https://infosec.exchange/users/cve/statuses/113389560858828548",
"vulnerability": "CVE-2024-10312",
"creation_timestamp": "2024-10-29T08:36:31.492184Z"
}A source is not necessarily an URL. It can be any string, for example, the UUID of a MISP event.
Examples: https://vulnerability.circl.lu/sightings/?query=MISP
Automation tools
Realistically, sightings are more likely to be created programmatically, for instance, based on observations gathered from social networks, network captures, etc.
Our tools on the Python Package Index (PyPI):
| Tool | Description |
|---|---|
| ShadowSight | A client that retrieves vulnerability observations from the The Shadowserver Foundation and pushes them to a Vulnerability-Lookup instance. |
| FediVuln | A client to gather vulnerability-related information from the Fediverse. |
| BlueSkySight | A client to gather vulnerability-related information from Bluesky. |
| MISPSight | A client that retrieves vulnerability observations from a MISP server and pushes them to a Vulnerability-Lookup instance. |
| NucleiVuln | A client designed to retrieve vulnerability-related observations from the Nuclei Git repository of templates and pushes them to a Vulnerability-Lookup instance. |
| ExploitDBSighting | A client that retrieves vulnerability observations from Exploit-DB and pushes them to a Vulnerability-Lookup instance. |
| KEVSight | A client to generate sightings for Vulnerability-Lookup from the Known Exploited Vulnerabilities (KEV) catalog. |
| GistSight | A client for gathering vulnerability-related information from GitHub Gists. |
NucleiVuln is a client designed to monitor and retrieve vulnerability-related information from the Nuclei Git repository of templates. Templates form the core of the Nuclei scanner. When a template is linked to a vulnerability, the resulting detection (observation) is classified as confirmed, signifying a higher level of certainty compared to the seen classification.
If you want to create your own sighting tool, it’s recommended to use PyVulnerabilityLookup, a Python library to access Vulnerability-Lookup via its REST API.