Using the Snyk Vulnerability Database

The Snyk Vulnerability Database contains a comprehensive list of known security vulnerabilities.
This database is separate from standards bodies’ databases, as Snyk is recognized as an official authority on security.

Snyk security team

We have a group of experts, the Snyk security team, who are dedicated to finding new vulnerabilities, and we have contributed a bunch of discoveries to authorities such as CVE.
Snyk’s security team maintains the database, to ensure the database maintains high accuracy and eliminates false positives
This work includes curating vulnerabilities found or reported elsewhere on the web, as well as doing our own research to uncover previously unknown vulnerabilities, which we then responsibly disclose. Snyk Enterprise users receive early notifications for issues our research uncovers alongside this responsible disclosure process.
  • All items in the database are analyzed and verified.
  • The team also invests in proprietary research to discover new vulnerabilities. See the Snyk disclosed vulnerability list.

Vulnerability sources

Most of the vulnerabilities in our database originate from one of these sources:
  1. 1.
    Monitoring other vulnerability databases, such as CVEs from NVD and many others.
  2. 2.
    Monitoring user activity on GitHub, including issues, PRs and commit messages that may indicate a vulnerability.
  3. 3.
    Bulk research, using tools that look for repeated security mistakes across open source package code
  4. 4.
    Manual research, investing our researchers time to manually audit more widely used packages for security flaws.
For every issue deemed to be a real vulnerability, we assign the correct CVSS (severity) score and package version specification, create an advisory, and make this issue available to Snyk products for your use.