Sightings
Presentation
A sighting is a structured observation tying a real-world signal to a specific vulnerability. It records that a user, automation tool, or external source observed, confirmed, exploited, or patched the vulnerability at a given point in time. Sightings let Vulnerability-Lookup capture context that does not appear in static advisories — chatter on social networks, publication of proofs of concept, observed exploitation, patching activity, and so on — and attach it to the vulnerabilities the platform already tracks.
The exact structure of a sighting is described by a JSON schema: Sighting.json.
Fields
| Field | Type | Required | Description |
|---|---|---|---|
uuid | UUIDv4 | yes | Unique identifier of the sighting (assigned by the server). |
vulnerability_lookup_origin | UUIDv4 | yes | Identifier of the Vulnerability-Lookup instance that produced the sighting. |
author | UUIDv4 | yes | Identifier of the author who created the sighting. |
vulnerability | string | yes | The vulnerability the sighting refers to (e.g. a CVE, GHSA, or other supported identifier). |
type | enum | yes | One of the sighting types listed below. |
creation_timestamp | date-time | yes | When the observed event happened. Best practice: use the timestamp of the original event (e.g. the publication date of the Mastodon status or Telegram message that mentions the vulnerability). If that timestamp is not available, fall back to the time the sighting itself is created. |
source | string (≤ 2048 chars) | no | Where the sighting comes from: a Fediverse status URI, a link, a tool name, a MISP event UUID, etc. |
content | string | no | Optional free-form description of the sighting. |
Types
A sighting carries one of the following observation types:
| Type | Description |
|---|---|
seen | The vulnerability was mentioned, discussed, or observed by the reporter. |
confirmed | The vulnerability has been validated from an analyst’s perspective. |
not-confirmed | The vulnerability could not be validated by the reporter. |
published-proof-of-concept | A public proof of concept is available for this vulnerability. |
exploited | The vulnerability was observed as exploited by the reporter. |
not-exploited | The vulnerability was checked by the reporter and found not to be exploited. |
patched | The vulnerability was observed as successfully patched by the reporter. |
not-patched | The vulnerability was checked by the reporter and found not to be patched. |
The corresponding MISP taxonomy is documented here.
Automation tools
Realistically, sightings are more likely to be created programmatically, for instance, based on observations gathered from social networks, network captures, etc.
Our tools on the Python Package Index (PyPI):
| Tool | Description |
|---|---|
| ShadowSight | A client that retrieves vulnerability observations from the The Shadowserver Foundation and pushes them to a Vulnerability-Lookup instance. |
| FediVuln | A client to gather vulnerability-related information from the Fediverse. |
| BlueSkySight | A client to gather vulnerability-related information from Bluesky. |
| MISPSight | A client that retrieves vulnerability observations from a MISP server and pushes them to a Vulnerability-Lookup instance. |
| NucleiVuln | A client designed to retrieve vulnerability-related observations from the Nuclei Git repository of templates and pushes them to a Vulnerability-Lookup instance. |
| ExploitDBSighting | A client that retrieves vulnerability observations from Exploit-DB and pushes them to a Vulnerability-Lookup instance. |
| KEVSight | A client to generate sightings for Vulnerability-Lookup from the Known Exploited Vulnerabilities (KEV) catalog. |
| GistSight | A client for gathering vulnerability-related information from GitHub Gists. |
| MetasploitSight | A client designed to retrieve vulnerability-related information from the modules available in Metasploit. |
| TeleGramSight | A client designed to retrieve vulnerability-related information from a Telegram collector. |
If you want to create your own sighting tool, it’s recommended to use PyVulnerabilityLookup, a Python library to access Vulnerability-Lookup via its REST API.
Examples
Structure of a sighting object
{
"uuid": "d292fe1c-b3b8-4d88-984d-aaa3680c92ff",
"vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd",
"author": "9f56dd64-161d-43a6-b9c3-555944290a09",
"vulnerability": "CVE-2026-3323",
"type": "seen",
"source": "https://infosec.exchange/users/certvde/statuses/116515547941636846",
"content": "#OT #Advisory VDE-2026-048VEGA: Missing Authentication for critical function in VEGAPULS Bluetooth products\nVulnerable components expose sensitive information to unauthorized actors through an unsecured configuration interface. Vulnerable firmware releases contain an unsecured configuration interface that allows retrieval of sensitive information such as hashed credentials.#CVE CVE-2026-3323\nhttps://certvde.com/en/advisories/vde-2026-048/\n#CSAF https://vega.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-048.json",
"creation_timestamp": "2026-05-04T09:16:09.070432Z"
}A source is not necessarily a URL — it can be any string, including a MISP event UUID. Examples: https://vulnerability.circl.lu/sightings/?query=MISP
Initalization of a PyVulnerabilityLookup object
from pyvulnerabilitylookup import PyVulnerabilityLookup
vuln_lookup = PyVulnerabilityLookup("https://vulnerability.circl.lu/", token="<YOUR-API-TOKEN>")Retrieve sightings for a specific vulnerability
sighting_cve_list = vuln_lookup.get_sightings(vuln_id='CVE-2024-9474')
print(sighting_cve_list)Example output:
{
"metadata": {
"count": 104,
"page": 1,
"per_page": 1000
},
"data": [
{
"uuid": "b804f360-9d9f-4326-a1ae-e32fb82e268b",
"creation_timestamp": "2024-11-18T22:19:16.087185+00:00",
"type": "seen",
"source": "https://feedsin.space/feed/CISAKevBot/items/2704494",
"vulnerability": "CVE-2024-9474",
"author": {
"login": "automation",
"name": "Automation user",
"uuid": "9f56dd64-161d-43a6-b9c3-555944290a09"
}
}
]
}Create a new sighting
sighting = {"type": "exploited", "source": "<source-of-the-sighting>", "vulnerability": 'CVE-2024-9474'}
created_sighting = vuln_lookup.create_sighting(sighting=sighting)
print(created_sighting)Example output:
{
"metadata": {
"count": 1,
"page": 1,
"per_page": 1000
},
"data": [
{
"uuid": "b498cb64-9cbc-423a-aea0-bf58d740c024",
"creation_timestamp": "2024-11-19T10:45:45.634635+01:00",
"type": "exploited",
"source": "<source-of-the-sighting>",
"vulnerability": "CVE-2024-9474",
"author": {
"login": "cedric",
"name": "Cédric",
"uuid": "8dfa6142-8c6d-4072-953e-71c85404aefb"
}
}
]
}PyVulnerabilityLookup supports multiple object types within the Vulnerability-Lookup ecosystem.
For more examples, refer to the test suite:
tests <https://github.com/vulnerability-lookup/vulnerability-lookup/blob/main/tests/test_web.py>_.