When a new vulnerability prompts discussion on Twitter or hits media outlets, the security community collectively participates in a familiar triage process: Is the bug pervasive, exploitable, or both? Is it worth dropping everything to patch or mitigate? Is the expected shelf life long enough that it’s worth developing an exploit for? Or is it actually...not useful or interesting?

Security researchers and hackers are almost always the first to shed light on the specific conditions and characteristics that make a vulnerability not just exploitable, but actually useful to attackers. The Metasploit team has been working on a new project to capture this knowledge: AttackerKB is a knowledge base of vulnerabilities and informed opinions on what makes them valuable (or not) targets for exploitation. Starting soon, we’re looking for beta users to participate and provide feedback that will maximize AttackerKB’s value to all security practitioners—blue, red, and every other color.

If you have opinions on why not all vulnerabilities are created equal (and you’re not afraid to share those opinions!), we want to work with you to highlight that knowledge for the benefit of the whole community. And before you ask, yes, of course we want beta participants from blue teams and appsec shops and other defenders in addition to offensive security researchers and operators.

Beta sign-up is here: https://forms.gle/9uuypnUkQqFezc9y6

We’ll respond to beta user requests on a rolling basis. We’ll do our best to respond to everyone within a few weeks.

A few notes on what we’re asking for and what you can expect:

  • We’re looking for assessments of vulnerabilities, especially research notes and characteristics that indicate high or low utility for attackers (e.g., unauthenticated RCE, difficult to patch effectively, likely to be present on high-value targets, non-default configuration, requires user interaction).
  • Users can add assessments of vulns, respond directly to others’ analyses, and upvote or downvote contributions.
  • We’re currently using GitHub as an OAuth provider. Because of this, you’ll need a GitHub account to participate in the beta. The site does not store any data that is not already public on GitHub.
  • Expect lots of change, occasional maintenance windows, and regular updates on what we’re adding or subtracting. We’ll be experimenting with different data sources, UI design tweaks, and ways of highlighting top contributors.
  • We’re looking for active participation wherever possible, and we want your feedback (good, bad, and ugly). To that end, you can expect to hear from our product management and UX teams over email and Slack as they request targeted feedback on how we’re solving problems (or not) for users.

This is the first major Metasploit project whose target audience extends beyond developers and pen testers. We’re incredibly excited to work with the community to make it a richer, deeper, and more open trove of knowledge for everyone.