Alerts¶
Stay updated about vulnerabilities that matter to you with real-time push and pull notifications. Trigger actions automatically when new vulnerabilities appear.
At Vulners we continuously collect and normalize vulnerability intelligence from 220+ upstream sources — vendor advisories, NVD/CVE, Linux distro feeds, package registries, exploit/PoC trackers, and government/ISAC alerts — into a single graph‑linked corpus. Every record is deduplicated, cross‑referenced (CVE↔advisory↔patch↔exploit), and time‑stamped with standard fields (e.g., CVSS vectors, CWE, affected products) in consistent JSON.
Alerts puts this corpus on autopilot with subscriptions and high‑reliability delivery. Instead of polling, Alerts uses your filters and delivery targets to push Vulners Intelligence context and Assessment matches the instant they land—ready for your UI, SIEM/SOAR, or ticketing. Each event arrives with the complete context and links back to Intelligence and Assessment for verification and action.
Make Vulners Alerts the push engine behind your risk decisions—without stitching feeds or cron jobs. This page gives you both the why and the how so you can create subscriptions, wire webhook automations, and start shipping improvements the same day.
Why this matters¶
Security teams don't win by polling. They win by acting the moment something relevant changes. Alerts turns Vulners’ Intelligence and Assessment into push — so your product or team gets timely, filtered signals instead of periodic scrapes. Use subscriptions to watch for new CVEs, exploited-in-the-wild items, advisories that hit your stack, or assessment deltas across assets—and deliver them directly to the systems and humans that need to act.
Precision Without Noise¶
Keep teams focused with precise, programmatic subscriptions - from “new critical CVEs” to “issues in products we run” — delivered via webhooks or email on your cadence. Filters for product, severity, keywords, and tags (like RCE or zero-day) cut the noise so only actionable items land in front of engineers.
Automate the First Mile¶
Automate the first mile the moment an alert hits. Webhook JSON can open tickets, trigger SOAR playbooks, or kick off patch workflows without human hand-offs. Embed alerts directly in your product to retain users with in-app messages like “This affects your stack—here’s impact + fixes,” all without building your own monitoring code.
Easy to Manage¶
At scale, management stays simple. Add or change criteria to deliver tailored early-warning streams, keep stakeholders informed, and make your product the place where risk becomes action.
What you get¶
- Push notifications for Intelligence & Assessment: Subscribe to CVE streams, KEV/exploited signals, vendor advisories, and assessment results for your inventories.
- Flexible routing: Webhook targets, email, and product-embedded notifications. Multiple channels per subscription are supported.
- Powerful filtering: Scope by products/components, severity bands, keywords, tags (e.g., rce, zero-day), vendors, and live exploitation status.
- Deterministic payloads: Normalized JSON with direct links back to Vulners Intelligence (docs stub) and Assessment (docs stub).
- Built for embedding: Use Alerts to power in-app banners like “Impacts your stack” with drill-downs to impact and remediation.
- Reliability & scale: High-availability delivery with retry; idempotent event ids for safe processing.
Architecture / Overview¶
Alerts sits on top of Vulners’ event graph:
- Sources → CVEs, vendor advisories, KEV/known exploited catalogs, exploit PoCs, Intelligence enrichments (CVSS, EPSS, CWE), and Assessment matches across your asset inventories.
- Normalization & Correlation → Vulners Intelligence engine enriches and links items to affected products and exploits. Assessment maps your inventories deterministically to CVEs.
- Subscriptions → You define match rules (filters), timing, and delivery channels.
- Delivery → Webhooks (recommended for product integrations) and/or email. Each alert contains structured context and links back to Intelligence/Assessment for verification and action.
- Automation hooks → Consume alerts to create tickets, update risk dashboards, fire SOAR playbooks, or annotate assets in near-real time.
Relationship to other products: Alerts is how you turn Intelligence and Assessment into push. Use Intelligence for on-demand deep context; use Assessment to continuously evaluate assets; use Alerts to be notified when something new or relevant appears.
Quickstart¶
Below is a minimal end-to-end example in Python that creates and lists alert subscriptions. Use it as your starting point when wiring Alerts into your product backend.
- The script shows two subscription configuration samples to illustrate different use-cases; it creates just one subscription when executed. We document both configs below so you can pick the right pattern for your needs.
- Full documentation on Alerts API: (docs stub).
1) Create & list alerts (Python)¶
from vulners import VulnersApi
import json
# Subscription 1: HIGH+CRITICAL CVEsFeed Subscription
CONFIG_CVE_FEED_HIGH_CRITICAL_CVSS_SCORE = {
"name": "CVE Feed Critical CVSS Score Subscription",
"query": {
"type": "query",
"query": "type:cve AND cvss.score:[7 TO 10]"
},
"delivery": {
"type": "webhook",
"address": "YOUR WEBHOOK URL",
"crontab": "0 8,12,16 * * *" # At 08:00, 12:00, and 16:00 UTC
},
"bulletin_fields": [
"title",
"short_description",
"type",
"href",
"published",
"modified",
"cvelistMetrics"
],
"timestamp_source": "published",
"send_empty_result": True
}
CONFIG_SOFTWARE_GOOGLE_CHROME_LATEST_FEED = {
"name": "Google Chrome 138.0.7204.184 Feed Subscription",
"query": {
"type": "software",
"software": ["cpe:2.3:a:google:chrome:138.0.7204.184:*:*:*:*:*:*:*"]
},
"delivery": {
"type": "webhook",
"address": "YOUR WEBHOOK URL",
"crontab": "0 13 * * *" # Once a day at 13:00 UTC
},
"bulletin_fields": [
"title",
"short_description",
"type",
"href",
"published",
"modified",
"cvelistMetrics"
],
"timestamp_source": "published",
"send_empty_result": True
}
# Select which configuration to use
CURRENT_CONFIG = CONFIG_CVE_FEED_HIGH_CRITICAL_CVSS_SCORE # Change this to use different configurations
API_KEY = "VULNERS_API_KEY"
v = VulnersApi(api_key=API_KEY)
# Create subscription using current configuration
print(f"Creating subscription: '{CURRENT_CONFIG['name']}'...\n")
creation_response = v.subscription_v4.create(
name=CURRENT_CONFIG["name"],
query=CURRENT_CONFIG["query"],
delivery=CURRENT_CONFIG["delivery"],
bulletin_fields=CURRENT_CONFIG["bulletin_fields"],
timestamp_source=CURRENT_CONFIG["timestamp_source"],
send_empty_result=CURRENT_CONFIG["send_empty_result"],
)
print(f"listing subscriptions...\n")
subscriptions = v.subscription_v4.get_list()
print(json.dumps(subscriptions), indent=4)
2) Example output (create/list)¶
{
"result": [
{
"id": "e4ZSc9vGd9ChUKggL8FSl3C3w2wLfPyrE8dmmNA8baGuxSnDjOJnVSLF",
"name": "CVE Feed Critical CVSS Score Subscription",
"query": {
"type": "query",
"query": "type:cve AND cvss.score:[7 TO 10]"
},
"delivery": {
"type": "webhook",
"address": "YOUR WEBHOOK URL",
"crontab": "0 8,12,16 * * *"
},
"bulletinFields": [
"title",
"short_description",
"type",
"href",
"published",
"modified",
"cvelistMetrics"
],
"licenseId": "4VVN****IQMF",
"isActive": true,
"userId": "N5Z7****6KJC",
"created": "2025-10-12T09:33:16.029000Z",
"updated": "2025-10-12T09:33:16.029000Z",
"timestampSource": "published",
"sendEmptyResult": true,
"lastSentTimestamp": "2025-10-12T09:33:16.029000Z"
}
]
}
About the two subscription configurations in the sample¶
The Python sample includes two configuration examples (A) and (B) inside the same script to illustrate common patterns:
-
Config A — Product-specific CVE stream (e.g., “Chrome stable updates & CVEs”)
When to use: You want push updates for a specific product or vendor family (e.g., Google Chrome) including related CVEs and advisories. Typical filters: product/vendor identifiers, optional keywords/tags, severity bands. Delivery can be a webhook that opens a ticket automatically.
What you get: Alerts referencing vendor advisories alongside CVE lists and enriched metrics (CVSS, EPSS, exploitation flags) via Intelligence. -
Config B — Inventory-aware, exploited-priority feed (Assessment-driven)
When to use: You maintain an inventory (from CMDB, SBOMs, XDR, etc.) and care most about issues that are both present in your environment and exploited in the wild (KEV/Exploitation). Typical filters: map to your assessed components via Assessment, includeexploitation:wildExploited=true(or KEV-inclusion), and set severity thresholds.
What you get: Action-ready alerts that include the asset/package context and links back to Assessment evidence, so responders can prioritize and remediate first.
- The script creates only one subscription (Config A) to keep the demo simple, but you can uncomment/duplicate the call to create the second subscription (Config B) with its own target webhook/email. Treat each configuration as an independent stream with its own routing and SLAs.
Example webhook payload¶
Below is exactly what your webhook endpoint receives for a CVSS ≥7 CVE feed subscription.
{
"result": [
{
"id": "CVE-2025-61884",
"type": "cve",
"title": "CVE-2025-61884",
"published": "2025-10-12T03:15:34",
"modified": "2025-10-12T03:15:34",
"href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-61884",
"cvelist": [
"CVE-2025-61884"
],
"short_description": "CVE-2025-61884 is a disclosed security vulnerability.",
"cvelistMetrics": [
{
"epss": [],
"cve": "CVE-2025-61884",
"cvss": {
"score": 7.5,
"severity": "HIGH",
"version": "3.1",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"source": "[email protected]"
},
"published": "2025-10-12T03:15:34",
"exploitation": {
"wildExploited": false,
"wildExploitedSources": []
},
"ai_score": {
"value": 5.9,
"uncertainty": 0.7
}
}
]
},
"... 3 more result(s) omitted ..."
],
"subscription": {
"id": "UoCDcCbG4UnlHpqkRE046qbRskRoypyXpiaVqXQ8MfRED3hArIw88lzp",
"name": "CVE Feed Critical CVSS Score Subscription",
"query": {
"type": "query",
"query": "type:cve AND cvss.score:[7 TO 10]"
},
"delivery": {
"type": "webhook",
"address": "YOUR WEBHOOK URL",
"crontab": "0 8,12,16 * * *"
},
"bulletinFields": [
"title",
"short_description",
"type",
"href",
"published",
"modified",
"cvelistMetrics",
"cvelist"
],
"licenseId": "4VVN****IQMF",
"isActive": true,
"userId": "N5Z7****6KJC",
"created": "2025-10-11T15:23:58.953000Z",
"updated": "2025-10-11T15:23:58.953000Z",
"timestampSource": "published",
"sendEmptyResult": true,
"lastSentTimestamp": "2025-10-12T03:15:34Z"
}
}
Implementation patterns¶
- SOAR-first: Route webhooks to your SOAR; match
wildExploited=trueand tag tickets with KEV IDs for escalation. - In-product banners: When an alert maps to a customer’s inventory, surface an “Impacts your stack” banner with a link to Intelligence details and Assessment evidence.
- Split feeds by ownership: Create per-team subscriptions (e.g., “Frontend,” “Platform,” “Data”) scoped by the products they own to reduce noise.
- Change windows: Use RRULE-like schedules on the consumer side to defer non-critical alerts while always letting KEV/exploited ones through.
- Idempotent processing: Use the alert’s unique event id to dedupe; safe to retry handlers.
- Observability: Emit delivery-latency and failure-rate metrics from your webhook consumer; alert on stalled pipelines.
Production checklist¶
- Confirm webhook endpoint auth (HMAC or token) and TLS.
- Implement retries with exponential backoff; treat deliveries as at-least-once.
- Dedupe on event id; maintain a small persistence store for processed ids.
- Enforce contract tests on payload schema (payload reference).
- Map products in alerts to owners/services for auto-routing.
- Define escalation rules for KEV/wild-exploited items.
- Keep a runbook for false positives and subscription tuning.
- Backlink every alert to Intelligence/Assessment pages to aid verification.
- Add synthetic tests to ensure your webhook endpoint stays healthy.
Practical details¶
- Delivery formats: JSON for webhooks; human-readable for email.
- APIs & SDKs: REST + Python/JS SDKs (API reference, Python SDK, JS SDK).
- Data links: CVEs, advisories, KEV flags, EPSS, and CVSS vectors link to Intelligence; inventory/package context links to Assessment.
FAQ¶
How is this different from polling Intelligence or Assessment?
Polling costs time and misses windows. Alerts is push-native: Vulners filters and delivers events as they happen, with deterministic payloads that point to Intelligence context and Assessment evidence. Polling will be eventually deprecated.
Can I route the same subscription to multiple channels?
You need to create separate subscriptions per team/environment.
What if my inventory changes daily?
You can update subscription with new filers.
How do I keep noise low?
Start with exploited-first filters (KEV/wildExploited) and products you actually run; expand carefully. Split subscriptions by ownership and severity thresholds.
TL;DR¶
Alerts converts Vulnerability Intelligence and Assessment into push. Define precise subscriptions, route them to your systems, and automate the first mile—from “new CVE” to “ticket created with fixes”—with minimal engineering overhead.