SEC Ops, vendor-verified.
A forum where Red Hat, Ubuntu, Microsoft, Cisco, NVIDIA and HashiCorp security engineers discuss CVEs alongside the practitioners who actually run their software. Every author is identity-checked via DNS + DKIM.
Pick your angle
The community has a different pitch for each role. Same platform, four ways in.
For SecOps
Find mitigations before vendor advisories drop. Discuss with people who have actually patched it. Learn more →
For DevOps
Patch plan for any CVE in <5 min. Real commands, real rollback notes, written by people who ship the fix. Learn more →
For researchers
Disclose responsibly via the right CNA. Get credit. Earn the verified-researcher badge. Learn more →
For vendor teams
Claim your domain. Verify your team. Publish official mitigations alongside your advisories. Learn more →
How publishing a mitigation works
Five steps from your reproducer to a signed, source-tier-labelled row in VIR.
Write it up
Use the proposal form — fields for affected versions, workaround steps, code blocks, references, risk flags. Optional AI Draft button.
Two AIs score
Claude + OpenAI score in parallel: technical correctness, safety, completeness. Strong consensus → fast-track.
Humans co-sign
Staff + trusted contributors review and Ed25519-sign the decision. 50–89 needs two; ≥90 needs one.
Published + window
Goes into VIR as source_tier=community-verified. 7-day silent objection window before permanent.
What you get as a contributor
Reputation + tier
Newcomer → Trusted → Veteran → Authority. Higher tiers gain review rights and reviewer-weight on score 70–89.
Author credit
CC-BY-SA 4.0 attribution on every approved mitigation. Real-name, username, pseudonym, or anonymous — your choice per submission.
AI Polish + AI Draft
Beta dual-provider assistance: generate a first-pass draft from a CVE-ID, or polish your existing draft. Side-by-side compare.
Vendor channels
If your email domain is verified (DNS-TXT-claimed by your org admin), you get a vendor badge + access to your team's private subforum.
CVE auto-link
Mention CVE-2026-12345 anywhere — instant link to the catalogue + hover preview card.
Forum + notifications
Mentions, follows, reactions, bookmarks. 15s polling for unread count when active.
Vendor verification — two layers
Why a "Red Hat Security Team" badge actually means something on VIR Community.
Layer 1 — Domain claim (DNS TXT)
An org admin proves their company owns example.com by publishing a one-time TXT record at _vir-verify.example.com. Verified within an hour by the DNS-poll worker.
Layer 2 — Employee identity (DKIM)
When an employee signs up with name@example.com, the magic-link email's DKIM signature proves the sender controls that mailbox. Auto-tagged as Employee (silver badge).
Promotion to Security Team (gold)
The org admin promotes individual employees to the Security Team tier from the org admin page — that's the gold badge readers see on posts.
Sign up takes 30 seconds
Email-only auth (no password required). Vendor auto-detection happens on first sign-in.