Russian Vulnerability Scanner Database

Navigation

Help & DocumentationPlatform OverviewHow to Use the PlatformVulnerability Scoring SystemsFrequently Asked QuestionsRelease History

This guide will help you master professional vulnerability analysis methodologies using the Vulnerability Catalog — an educational showcase of Scanner-VS 7 technologies by JSC “Echelon Technologies”.

Educational Value of the Platform

Learning Modern Threat Analysis Approaches

The catalog demonstrates professional methodologies used in the commercial Scanner-VS 7, allowing information security specialists to study and practice modern approaches to threat assessment and prioritization.

Working with Real Data

The platform provides access to the same normalized database used in industrial protection systems, ensuring practical experience with professional tools.

Methodology for Effective Vulnerability Search

1. Targeted Search by Identifiers

Search by CVE ID:

Specify in the search field “Search” -> “Search by ID and description”

CVE-2024-1234

If no source is selected, the search will be performed among all identifier sources. To specify a known source, check the box next to it, for example, nvd.

Click “Apply filters”

As a result, you will see the vulnerability card CVE-2024-1234

Search by BDU:

Specify in the search field “Search” -> “Search by ID and description”

BDU:2025-02043

If no source is selected, the search will be performed among all identifier sources. To specify a known source, check the box next to it, for example, bdu.

Click “Apply filters”

As a result, you will see the vulnerability card BDU:2025-02043

Search by RED OS vulnerabilities:

Specify in the search field “Search” -> “Search by ID and description”

ROS-20250212-05

If no source is selected, the search will be performed among all identifier sources. To specify a known source, check the box next to it, for example, redos.

Click “Apply filters”

As a result, you will see the vulnerability card ROS-20250212-05

Search by Multiple Identifiers: Use spaces to separate multiple vulnerability identifiers for comprehensive analysis of related vulnerabilities.

2. Contextual Search by Keywords

Search by Technologies:

  • Apache, Nginx, IIS — web servers
  • MySQL, PostgreSQL, Oracle — database management systems
  • Windows, Linux, Android — operating systems

Search by Vulnerability Types:

  • SQL injection, XSS, RCE — attack types
  • buffer overflow, privilege escalation — exploitation mechanisms
  • authentication bypass, information disclosure — consequences

3. Professional Risk Filtering

Critical Analysis (Priority Threats):

  • CVSS Score: 9.0 - 10.0
  • EPSS Score: 0.8 - 1.0
  • Status: Active exploits available

Strategic Analysis (Planned Measures):

  • CVSS Score: 7.0 - 8.9
  • EPSS Score: 0.5 - 0.8
  • Timeframe: Within a month

Monitoring (Development Observation):

  • CVSS Score: 4.0 - 6.9
  • EPSS Score: 0.2 - 0.5
  • Frequency: Monthly reassessment

Vulnerability Analysis System

Understanding Vulnerability Cards

Each vulnerability is displayed as a card containing key information for quick assessment:

Card Header:

  • CVE ID — unique identifier for tracking
  • Brief Description — vulnerability essence in one sentence

Severity Color Indication:

  • 🔴 Critical (9.0-10.0) — immediate response
  • 🟠 High (7.0-8.9) — priority remediation
  • 🟡 Medium (4.0-6.9) — planned measures
  • 🟢 Low (0.1-3.9) — background monitoring

Exploitation Indicators:

  • 🔴 High EPSS (0.8+) — active exploitation expected
  • 🟡 Medium EPSS (0.5-0.8) — moderate attack probability
  • 🟢 Low EPSS (0.2-0.5) — limited attacker interest

Detailed Vulnerability Analysis

When accessing detailed information, you get:

Technical Context:

  • Complete vulnerability mechanism description
  • Attack vector and required conditions
  • Potential exploitation consequences

Risk Metrics:

  • CVSS v2/v3/v4 with component breakdown
  • EPSS score with probability forecast
  • Temporal metrics for changing factor consideration

Practical Information:

  • Affected Products with version specifications
  • Available Exploits and their characteristics
  • Protection Recommendations from vendors

Professional Prioritization Methodology

Decision Matrix

Immediate Actions (within 24 hours):

  • CVSS ≥ 9.0 + EPSS ≥ 0.8 + Available exploits
  • Critical infrastructure + Public access
  • Absence of compensating controls

Priority Measures (within a week):

  • CVSS 7.0-8.9 + EPSS ≥ 0.5
  • Widely used technologies
  • Presence of proof-of-concept exploits

Planned Actions (within a month):

  • CVSS 4.0-6.9 + EPSS 0.2-0.5
  • Specialized systems
  • Theoretical attack vectors

Environment Specificity Consideration

Applicability Analysis:

  1. Asset Inventory — what technologies are used
  2. Accessibility Assessment — external/internal interfaces
  3. Protective Measures Analysis — existing controls
  4. Criticality Assessment — system importance for business

Priority Adjustment Factors:

  • System Criticality — production systems vs. test environments
  • Network Accessibility — internet vs. internal network
  • Protective Measures Presence — WAF, IPS, network segmentation
  • Exploitation Complexity — attacker requirements

Working with Multiple Data Sources

Russian and International Standards

FSTEC Russia BDU:

  • Official Russian risk assessments
  • Protection requirements for government organizations
  • Domestic software specifics

RED OS Security Bulletins:

  • In accordance with FSTEC Russia requirements, RED OS ensures continuous vulnerability search, develops security updates and compensatory measures to prevent vulnerability exploitation.
  • Licensees of the certified RED OS edition must apply published updates to ensure security and neutralize vulnerability threats.

Astra Linux Special Edition OS Security Bulletins:

  • Licensees using Astra Linux Special Edition OS, certified according to FSTEC Russia information security requirements (certificate № 2557), must apply the methodologies and software updates published in security bulletins to neutralize vulnerability threats in information systems.

NIST NVD:

  • International assessment standards
  • Wide coverage of commercial products
  • Current CVSS metrics

FIRST.org EPSS:

  • Predictive exploitation models
  • Daily updates based on threat intelligence
  • Machine learning for trend prediction

Comparative Assessment Analysis

When assessments differ from various sources:

  1. Priority to Russian sources for domestic software
  2. Environment specificity consideration — domestic vs. foreign threats
  3. Conservative approach — using higher assessments
  4. Expert evaluation — involving internal specialists

Integration with Risk Management Processes

Analysis Documentation

Standard Vulnerability Report:

  • Vulnerability identifier and description
  • Risk assessments with justification
  • Affected systems in the organization
  • Recommended protective measures
  • Remediation timeframes

Remediation Tracking:

  • Recommendation implementation status
  • Alternative protective measures
  • Compromise indicator monitoring
  • Risk reassessment after remediation

Management Communication

Executive Summary:

  • Number of critical vulnerabilities
  • Potential business risks
  • Required resources for remediation
  • Timeframes and priorities

Transition to Automated Analysis

Manual Analysis Limitations

The Vulnerability Catalog is effective for:

  • Educational purposes and methodology learning
  • Specific threat research and their characteristics
  • Public data analysis on new vulnerabilities
  • Solution applicability assessment to your environment

Scanner-VS 7 Capabilities

For production use, Scanner-VS 7 provides:

Automated Scanning:

  • Real-time vulnerability detection
  • Network segment and individual host scanning
  • Security configuration analysis
  • Account and password auditing

Intelligent Prioritization:

  • Automatic applicability assessment to your environment
  • Network topology and protective measures consideration
  • Personalized remediation recommendations
  • Asset management system integration

Operational Efficiency:

  • 1-minute deployment on any platform
  • Minimal resource requirements (2 GB RAM)
  • Domestic OS support (Astra Linux, RED OS)
  • Container execution (Docker, Kubernetes)

Getting a Professional System

When to Transition to Scanner-VS 7

Implementation Criteria:

  • Need for regular infrastructure scanning
  • FSTEC Russia compliance requirements
  • Need for information security process automation
  • Professional technical support necessity

Contacts for Commercial Version:

The Vulnerability Catalog provides a solid foundation for learning modern threat analysis methodologies, while * Scanner-VS 7 extends these capabilities to enterprise-class industrial protection system level.