Vendor-neutral CVE intelligence, signed and AS-IS.
VIR aggregates, normalises, scores and signs every vulnerability that matters — across operating systems, package ecosystems, and vendor advisories. One canonical record per CVE, distributed via API + mesh + community.
What VIR does
Four jobs, executed continuously. Every piece is observable on the public Sources and Stats pages.
Ingest from 46+ sources
NVD, MITRE CVE Records v5, OSV, GHSA, CISA KEV, Exploit-DB, Metasploit, plus 30+ OS & package-ecosystem advisory feeds.
Normalise into one row
Deduplication across sources. CVSS v3 + v4, severity, references, OS/package/app impact, exploit availability, fix status.
Sign every payload
Ed25519 over canonical JSON. Hash-chained audit chain makes silent tampering detectable.
Distribute everywhere
Web UI, JSON API, server-sent events, mesh-node peering. Same signed data feeds SIEMs, compliance bots, and human analysts.
How it's different
Most CVE platforms are either vendor-owned (biased) or scraper-thin (untrusted). VIR solves both.
Source-tier labelling
Every mitigation is tagged vendor, lbreeze, or community-verified. You decide policy per tier.
Community-authored fixes
Forum contributors propose mitigations; two AIs co-score; humans co-sign. Published with attribution + retraction window.
Provenance you can audit
Hash-chained audit log of every state change. Verify the chain yourself — keys published on /healthz.
Who runs it
lbreeze limited
UK-registered software company. PI + Cyber Liability insured. Founder-led, no VC, no exit clock.
VIR is the canonical CVE platform in the lbreeze stack. Standby (compliance evidence) and Zephyr (hosting + billing) sit alongside.
- Node.js / PostgreSQL / Redis / Ed25519 — no Java, no Spring, no surprise.
- Self-hosted on UK + EU infrastructure.
- No third-party JS at runtime; no telemetry on logged-out visitors.
Want CVE intel you can actually trust?
Start with the public catalogue — no signup. Then join the community to author your first mitigation.