Ever wonder how FixTheCVE knows which vulnerabilities affect your specific servers? Here's a look under the hood at our CVE monitoring pipeline.
The Data Pipeline
Our system processes thousands of vulnerability records daily through a multi-stage pipeline:
Stage 1: CVE Ingestion
Every hour, we sync with the National Vulnerability Database (NVD), the authoritative source for CVE data maintained by NIST. When a new CVE is published or updated:
- We fetch the CVE record with all metadata (description, CVSS scores, affected products, references)
- We parse the CPE (Common Platform Enumeration) data to identify affected software and version ranges
- The CVE is stored in our database and enters the enrichment queue
Stage 2: AI Enrichment
Raw CVE descriptions are often technical and hard to act on. Our AI engine analyzes each CVE and generates:
- Plain-English summary: What the vulnerability actually means in simple terms
- Risk assessment: Worst case, likely case, and mitigated case scenarios
- Fix instructions: Step-by-step remediation with copy-paste commands
- Workarounds: What to do if you can't patch immediately
- Detection guidance: How to check if you're vulnerable and how to verify the fix
We process up to 5,000 CVEs per day through our AI pipeline, ensuring even newly published vulnerabilities get actionable guidance quickly.
Stage 3: Threat Intelligence Enrichment
CVSS scores tell you theoretical severity. We add real-world threat data:
- EPSS scores: Updated daily from FIRST.org, these predict the probability of exploitation in the next 30 days
- CISA KEV: The Known Exploited Vulnerabilities catalog confirms which CVEs are being actively used by attackers
- Exploit availability: Whether public proof-of-concept code exists
Stage 4: Package Matching
When you scan a server, here's what happens:
- The scanner collects your installed packages and versions (e.g.,
openssl 3.0.13-0ubuntu3.4) - Our system maps each package to known products in the CVE database
- We compare your installed version against affected version ranges for every CVE
- We check your distro's security tracker (Ubuntu, Debian, RHEL, etc.) to verify if the CVE actually affects your build
- Results are filtered to remove false positives (e.g., CVEs that were backport-patched by your distro)
Stage 5: Alerting
When a new CVE matches one of your packages:
- It appears in your dashboard immediately
- If you have instant alerts enabled, an email is sent within minutes
- It's included in your next daily/weekly digest
Why This Matters
False Positive Reduction
Many vulnerability scanners report CVEs based on package names alone, generating noise. We go further:
- Version-aware matching: We check if your exact version is in the affected range
- Distro backport detection: Ubuntu/Debian often backport security fixes without changing the major version number. We check distro security trackers to avoid false alarms.
- Architecture awareness: A CVE in the Windows build of OpenSSL doesn't affect your Linux server
Speed
Our pipeline runs continuously:
- New CVEs: detected within 1 hour of NVD publication
- EPSS updates: daily refresh at 6 AM UTC
- CISA KEV: daily refresh at 7 AM UTC
- AI analysis: processed within hours of ingestion
What We Monitor
| Platform | Package Manager | Examples |
|---|---|---|
| Ubuntu/Debian | APT (dpkg) | openssl, nginx, linux-image, python3 |
| RHEL/Rocky/Alma | DNF/YUM (rpm) | httpd, kernel, openssh-server |
| Windows | Windows Update | KB patches, cumulative updates |
Database Scale
As of today, FixTheCVE tracks:
- 50,000+ CVEs with full details and AI analysis
- Growing daily as NVD publishes ~80 new CVEs per day
- Historical coverage back to 1999 for legacy system support
Want to see it in action? Create your free account and scan your first server. You'll have a complete vulnerability report in minutes.