Sightings
Presentation
Users have the possibility to add observations to vulnerabilities with different types of sightings, such as: seen, exploited, not exploited, confirmed, not confirmed, patched, and not patched.
| Type | Description | Negative/Opposite |
|---|---|---|
| seen | The vulnerability was mentioned, discussed, or observed by the user. | No |
| confirmed | The vulnerability has been validated from an analyst’s perspective | Yes |
| published-proof-of-concept | A public proof of concept is available for this vulnerability. | No |
| exploited | The vulnerability was observed as exploited by the user who reported the sighting. | Yes |
| patched | The vulnerability was observed as successfully patched by the user who reported the sighting. | Yes |
You can find the corresponding definition of this MISP taxonomy here.
Example
Example of a sighting object:
{
"uuid": "f6ed692b-2656-4ce0-bcf1-eaf12dfe281d",
"vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd",
"author": "8dfa6142-8c6d-4072-953e-71c85404aefb",
"type": "seen",
"source": "https://infosec.exchange/users/cve/statuses/113389560858828548",
"vulnerability": "CVE-2024-10312",
"creation_timestamp": "2024-10-29T08:36:31.492184Z"
}A source is not necessarily an URL. It can be any string, for example, the UUID of a MISP event.
Examples: https://vulnerability.circl.lu/sightings/?query=MISP
Automation tools
Realistically, sightings are more likely to be created programmatically, for instance, based on observations gathered from social networks, network captures, etc.
Our tools on the Python Package Index (PyPI):
| Tool | Description |
|---|---|
| ShadowSight | A client that retrieves vulnerability observations from the The Shadowserver Foundation and pushes them to a Vulnerability-Lookup instance. |
| FediVuln | A client to gather vulnerability-related information from the Fediverse. |
| BlueSkySight | A client to gather vulnerability-related information from Bluesky. |
| MISPSight | A client that retrieves vulnerability observations from a MISP server and pushes them to a Vulnerability-Lookup instance. |
| NucleiVuln | A client designed to retrieve vulnerability-related observations from the Nuclei Git repository of templates and pushes them to a Vulnerability-Lookup instance. |
| ExploitDBSighting | A client that retrieves vulnerability observations from Exploit-DB and pushes them to a Vulnerability-Lookup instance. |
| KEVSight | A client to generate sightings for Vulnerability-Lookup from the Known Exploited Vulnerabilities (KEV) catalog. |
| GistSight | A client for gathering vulnerability-related information from GitHub Gists. |
| MetasploitSight | A client designed to retrieve vulnerability-related information from the modules available in Metasploit. |
If you want to create your own sighting tool, it’s recommended to use PyVulnerabilityLookup, a Python library to access Vulnerability-Lookup via its REST API.