git.stella-ops.org/src/StellaOps.Feedser.Source.CertCc

CERT/CC Vulnerability Notes – Source Research

Canonical publication endpoints

• Public portal – https://www.kb.cert.org/vuls/ lists recently published Vulnerability Notes and exposes a “Subscribe to our feed” link for automation entry points.citeturn0search0
• Atom feed – https://www.kb.cert.org/vulfeed returns an Atom 1.0 feed of the same notes (<title>, <updated>, <summary> HTML payload). Feed metadata advertises rel="self" at https://kb.cert.org/vuls/atomfeed/. Use conditional GET headers (If-Modified-Since, If-None-Match) to avoid refetching unchanged entries.citeturn0search2

VINCE Vulnerability Note API

The VINCE documentation describes an unauthenticated REST-style API for structured retrieval:citeturn1view0

Endpoint	Payload	Notes
GET /vuls/api/{id}/	Canonical note metadata (title, overview, markdown segments, timestamps, aliases).	Use numeric ID (e.g., 257161).
GET /vuls/api/{id}/vuls/	Per-CVE vulnerability records tied to the note.	Includes CVE, description, timestamps.
GET /vuls/api/{id}/vendors/	Vendor statements per advisory.	Provides status text and optional references.
GET /vuls/api/{id}/vendors/vuls/	Vendor × vulnerability status matrix.	“known_affected” vs “known_not_affected” semantics.
GET /vuls/api/vuls/cve/{cve}/	Reverse lookup by CVE.	Returns combined note + vendor context.
GET /vuls/api/{year}/summary/	Annual summary listing (count, notes[]).	Year-month variants exist (/{year}/{month}/summary/).
GET /vuls/api/{id}/csaf/	CSAF 2.0 export generated by VINCE.	Useful for downstream CSAF tooling.

Operational considerations:

• API responses are JSON (UTF-8) and publicly accessible; no authentication tokens or cookies are required.citeturn1view0
• Monthly and annual summary endpoints enable incremental crawling without diffing the Atom feed.
• Expect high-volume notes to expose dozens of vendor records—prepare batching and pagination at the connector layer even though the API returns full arrays today.
• Apply polite backoff: the documentation does not publish explicit rate limits, but the kb.cert.org infrastructure throttles bursts; mirror existing backoff strategy (exponential with jitter) used by other connectors.

Historical data sets

CERT/CC publishes a Vulnerability Data Archive (JSON exports plus tooling) for deep history or backfills. The archive is hosted on the SEI site with mirrored GitHub repositories containing normalized JSON conversions.citeturn0search3turn0search4

Next steps for the connector

1. Implement Atom polling for quick detection, with VINCE API lookups for structured details. CertCcSummaryPlanner already computes the VINCE year/month summary URIs to fetch per window; wire this into the fetch job and persist the resulting TimeWindowCursorState.
2. Persist updated timestamps and VINCE revision counters to drive resume logic.
3. Capture vendor statements/CSAF exports to populate range primitives once model hooks exist.
4. Evaluate using the data archive for seed fixtures covering legacy notes (pre-2010).***