VulnDB Consumer Secret

[ddurham2]

In the DT Frontend, when configuring the VulnDB analyzer, it has two fields: Consumer Key and Consumer Secret.

I created an account at VulnDB using the free tier. However, in my profile settings the only value it offers is a Consumer Key and no Consumer Secret.

I pasted only the Consumer Key into the respective field in DT, and yet the Consumer Secret is green with several dots in it, which I infer means that either there's some common value hardcoded in DT that should work, or it's not required but indicates that blank secret is fine.

I searched both their docs and DT's, but didn't see any information about it.

After 24 hours I see see no API activity reported for my vulndb account.

So, is a Consumer Secret actually required? Where is it found? Is it only available for paying accounts?

---

On the other hand, VulnDB's site looks a bit antiquated in places and it's still using OAuth 1.0? Just thinking, is it a somewhat abandoned service not even worth using nowadays?

[stevespringett]

Yes, the consumer secret is required. For VulnDB, DT relies on OAuth 1.0a. The consumer secret use to be visible in the VulnDB UI. If it is no longer visible, you may have to contact VulnDB support.

VulnDB does support OAuth 2.0 as well. DT should eventually be updated to support it. But it hasn't been a priority since OAuth 1.0a works fine as is.

The VulnDB service has evolved a lot over the years. Certainly not an abandoned service. Its extremely useful if you want to supplement the NVD with more accurate, actionable, and timely vulnerability intel.

[Matafiya]

I faced the same problem. As the document of vulndb api ( https://vuldb.com/?kb.api) , only key is needed ,and we can only find api key in VulnDB UI.

[ValdikSS]

I have the same issue in 2024. Can't find any information on vuldb website, only API key.