In a world where software is eating the world, vulnerabilities are multiplying just as fast. Security teams everywhere are stretched thin trying to keep up with identifying, classifying, and remediating vulnerabilities in their environments. Traditional vulnerability management tools are often expensive, closed-source, and disconnected from the growing community of ethical hackers, researchers, and open-source developers. Thatโs where OpenVulnScan and VulnChain come in.
OpenVulnScan is a modern, open-source vulnerability management tool designed for security professionals, developers, and DevSecOps teams who want transparency, extensibility, and simplicity.
๐ฅ๏ธ Agent-based Package Reporting: Lightweight agents report installed packages from Linux systems.
๐ Nmap-based Unauthenticated Scanning: Automatically scan networked hosts for open ports and known CVEs.
๐ Integrated CVE Lookup: Correlates reported packages and scan data with a live CVE database.
๐ OAuth2 & Wallet Authentication: Supports Google/GitHub sign-ins and decentralized wallet-based auth.
๐ Dashboard & Reports: View HTML reports of vulnerabilities per agent, system, or package.
๐ก REST API First: Everything runs on an extensible FastAPI backend for integration or API-first deployments.
Itโs designed to be lightweight enough for small teams and powerful enough to integrate into CI/CD pipelines.
VulnChain builds on the foundation of OpenVulnScan by introducing token-based incentives and blockchain-backed transparency to vulnerability management.
Think of VulnChain as the โbug bounty meets open vulnerability intelโ network. Itโs a decentralized network where:
Researchers can submit CVE data or package signatures to help the community.
Agents can report findings from systems in real-time.
Submissions are timestamped, indexed on-chain, and accessible for trustless verification.
Contributors are rewarded with tokens for actionable and validated data.
Everything is auditable, exportable, and designed for global collaboration.
๐ช Cardano (via Blockfrost) for decentralized storage of report hashes and contributor reputations.
๐ IPFS for off-chain storage of vulnerability reports.
๐ JWT / Wallet auth for identifying contributors and reward recipients.
๐ OpenVulnScanโs API for real-time data intake.
| Use Case | Description |
|---|---|
| ๐ Internal Vulnerability Management | Monitor and manage your own assets with full transparency and no vendor lock-in. |
| ๐ Threat Intel Collaboration | Share package-level CVE data across organizations without revealing sensitive systems. |
| ๐ ๏ธ CI/CD Integration | Use OpenVulnScanโs API to halt builds if critical vulns are detected in newly deployed containers. |
| ๐ฐ Community-Powered Intel | Submit new signatures or exploit proof-of-concepts and earn token rewards on VulnChain. |
| ๐๏ธ Audit-Ready Reports | Timestamped, signed reports can be exported or verified during compliance audits. |
We believe that vulnerability intelligence should be open, collaborative, and incentivized โ not siloed in overpriced dashboards or limited to closed bug bounty platforms. OpenVulnScan is the free and transparent foundation, and VulnChain is the decentralized community and incentive layer that brings it to life.
Together, they aim to shift security left, not just in development pipelines, but in the global information-sharing lifecycle.
๐ OpenVulnScan's hosted demo is coming soon.
๐ป VulnChainโs initial prototype will launch with Cardano + IPFS testnet support.
๐ Community-driven agents for Windows, macOS, and container environments are in development.
๐ข We'll be open-sourcing everything โ contributions and feedback welcome!
Want to contribute? Deploy an agent? Or just follow along?
๐ GitHub: github.com/sudo-sec/OpenVulnScan
๐ VulnChain Testnet (coming soon)
๐ฌ Reach out: sudo-sec.xyz/contact
Together, letโs redefine what it means to do vulnerability management โ openly, responsibly, and with community at the core.