Privacy Policy

VulnDB HQ is committed to protecting our users' privacy. This statement is meant to inform our users of how we define, gather and utilize personally identifiable information. We will take reasonable steps to protect user privacy consistent within the guidelines set forth in this policy and the law. By using this site, you consent to the following privacy policy.

This policy was last modified on January 30, 2013.


Data collected

We collect anonymous data from every visitor of the Service to monitor traffic and fix bugs. For example, we collect information like web requests, the data sent in response to such requests, the Internet Protocol address, the browser type, the browser language, and a timestamp for the request.

For the Service, we ask you to register an account, log in and provide certain information (such as names and email addresses of your team members, your company name and address and your credit card information) in order to be able to store your Library entries and invoices, as well as periodically automatically bill you & charge your card (credit card numbers are never stored on our servers, but are securely transmitted and stored with our payment provider).

Cookies are used to store information about your current session and other preferences. This information may be used to track user progress and to offer a more personalized experience. Cookies can be disabled or cleared in your web browser settings.

Use of data

We only use your personal information to provide you with the Service to communicate with you about the Service or the Website.

With respect to any data you may choose to enter or upload to VulnDB, we take the privacy and confidentiality of this data seriously. Your data (in the Service) is specifically not shared between accounts or with the public. We employ industry standard techniques (including your own database schema) to protect against unauthorized access of data that we store, including personal information. All off-site backups of your data are securely encrypted.

We do not share personal information you have provided to us without your consent, unless:

  • doing so is appropriate to carry out a user’s request;
  • we believe it’s necessary in order to provide the highest quality of service;
  • we believe it’s needed to enforce our Terms of Service, or that is legally required;
  • we believe it’s needed to detect, prevent or address fraud, security or technical issues;
  • otherwise protect our property, legal rights, or that of others.

VulnDB is operated from the European Union. If you are visiting the Website from outside the EU, you agree to any processing of any personal information you provide us according to this policy.

VulnDB may contact you by email. For example, VulnDB may send you promotional emails relating to the Service or communicate with you about your use of the Website and Service. If you do not want to receive email from VulnDB, please opt out of receiving emails at the bottom of any VulnDB email. Please note that for some emails (for example billing issues), there’s no option to opt-out.

Sharing of Data

We don’t share your personal information with third parties except as listed below. Only aggregated, statistical data is periodically transmitted to external services to help us improve the VulnDB Website and Service.

We currently use Mailchimp (mailing list management) and Kissmetrics (analytics). We listed below what data these third parties extract exactly. Feel free to check out their own Privacy Policies to find out more.

  • Mailchimp: your name, email and account name
  • Kissmetrics: registered users’ activity (not including data entered by you).

Additionally, VulnDB uses third party vendors that provide the necessary hardware, software, networking, storage and other technology required to run the Website and the Service. While Security Roots owns the rights to the VulnDB Website and Service, you retain all rights to the data you enter into VulnDB.

In other to provide the Service, we also share data with services that help us track errors and bugs, keep backups of log files and identify performance issues.

We employ and contract with people and other entities that perform certain tasks on our behalf and who are under our control (our “Agents”). We may need to share personal information with our Agents in order to provide products or services to you. Unless we tell you differently, our Agents do not have any right to use Personal Information or other information we share with them beyond what is necessary to assist us. You hereby consent to our sharing of Personal Information with our Agents.

If VulnDB is acquired or merged with an other company, or Security Roots sells the VulnDB Website and Service to an other company, or if Security Roots goes out of business or enters bankruptcy, user information may be transferred to a third party. You acknowledge that such transfers may occur, and that any acquirer of Security Roots or its assets may continue to use your personal information as set forth in this policy.

Changes to the Privacy Policy

We may amend this Privacy Policy from time to time. Use of information we collect now is subject to the Privacy Policy in effect at the time such information is used. If we make any significant changes in the way we collect or use information, we will notify you by posting an announcement on the Website or sending you an email. A user is bound by any changes to the Privacy Policy when he or she uses the Services after such changes have been first posted.


  • Version 1.1, January 30, 2013. Clarify Data collection, use and sharing.
  • Version 1.0, December 4, 2011. Initial release.