Email notifications#

Vulnerability-Lookup provides two independent email notification mechanisms:

  • Watchlist notifications: scheduled digests for vendors, products, and organizations watched by users. Delivered by a dedicated notification service that must be launched separately (instructions below).

  • KEV catalog subscriptions: near real-time alerts when new entries are recorded in a Known Exploited Vulnerabilities catalog. Built into the web application — no additional service required.

Both mechanisms use the mail settings (MAIL_SERVER, MAIL_DEFAULT_SENDER, PLATFORM_URL, etc.) from config/website.py and require user accounts to be enabled.

Watchlist notification service#

This section provides instructions for activating the email notification service.

Launching the service with poetry#

From the directory used to install Vulnerability-Lookup:

poetry run flask --app website.app notify_users

Launching the service with systemd#

Create the file /etc/systemd/system/vulnerability-lookup-notify.service:

[Unit]
Description=Vulnerability-Lookup notification service
After=vulnerability-lookup-web.service
Requires=vulnerability-lookup-web.service

[Service]
Type=simple
User=<system user used to install Vulnerability-Lookup>
Group=<group of the user used to install Vulnerability-Lookup>
WorkingDirectory=<path to the cloned repository>
Environment="VULNERABILITYLOOKUP_HOME=<path to the cloned repository>"
ExecStart=<path to poetry> run python -m flask \
    --app website.app notify_users
StandardOutput=append:/var/log/vulnerability-lookup_notify_message.log
StandardError=append:/var/log/vulnerability-lookup_notify_error.log
Restart=on-failure
RestartSec=15s

[Install]
WantedBy=multi-user.target

Note

Use Requires only if the web service is managed by systemd on the same host, otherwise just use After to ensure the web service starts before the notification service when both are enabled on the same host.

Then reload and enable the service:

sudo systemctl daemon-reload
sudo systemctl enable vulnerability-lookup-notify.service
sudo systemctl start vulnerability-lookup-notify.service
systemctl status vulnerability-lookup-notify.service

To follow the service logs live:

sudo journalctl -u vulnerability-lookup-notify.service -f

Error logs:

tail -f logs/vulnerability-lookup_notify_error.log

Messages:

tail -f logs/vulnerability-lookup_notify_message.log

KEV catalog email subscriptions#

Authenticated users can subscribe to any Known Exploited Vulnerabilities catalog from its page (/known-exploited-vulnerabilities-catalog/). Whenever new KEV entries are recorded in a subscribed catalog — via the web interface, the API, or synchronization with a remote instance — subscribers receive a digest email (HTML and plain-text parts) linking to each KEV entry and its vulnerability page. Subscriptions can be reviewed and removed on the /user/notifications page, and the number of subscribers per catalog is shown on the /kev-catalogs page.

Unlike the watchlist service above, this mechanism runs inside the web application itself: new entries are queued in the Redis cache and a background worker sends one digest per catalog and subscriber once a short batching window has elapsed. Nothing needs to be launched or scheduled separately.

Configuration#

The behavior is controlled by the following settings in config/website.py:

# #### KEV catalog e-mail digests ####
# Subscribers of a KEV catalog receive one digest e-mail per catalog covering
# all entries recorded during the batching window.
KEV_DIGEST_ENABLED = True
KEV_DIGEST_BATCH_WINDOW = 120  # seconds entries accumulate before a digest is sent
KEV_DIGEST_FLUSH_INTERVAL = 30  # seconds between flush-worker wakeups
KEV_DIGEST_MAX_ENTRIES_PER_EMAIL = 100  # digest links to the catalog for the rest

The batching window protects subscribers from email floods during bulk imports or synchronizations: all entries recorded in a catalog within the window are grouped into a single digest, and a digest never lists more than KEV_DIGEST_MAX_ENTRIES_PER_EMAIL entries (the email links to the catalog page for the rest).

Set KEV_DIGEST_ENABLED = False to disable the feature entirely; the subscribe buttons remain functional but no emails are sent.

Delivery activity is logged by the web application under the website.notifications.kev_digest logger. When the application runs in debug mode, emails are written to the sent-emails/ directory instead of being sent over SMTP.