Vulnerability Lookup streamlines the correlation of vulnerabilities from multiple sources, independent of vulnerability IDs, and enhances the management of Coordinated Vulnerability Disclosure (CVD). It also serves as a collaborative platform, allowing users to comment on security advisories and create vulnerability bundles. Developed by CIRCL within the scope of the NIS2 directive, this open-source project aims to improve the efficiency and transparency of vulnerability management. This talk will explore the origins of the project, the challenges faced in coordinated vulnerability disclosure, and how Vulnerability Lookup addresses these challenges.

Fourteen years ago, we established CIRCL, a national-level CERT under the NIS Directive, with a commitment to an open-source strategy from the outset. Over the past 14 years, we have grown from managing small projects to maintaining 17 different open-source initiatives in the cybersecurity field, including the MISP Project, AIL Project, and many others. Throughout this journey, we've gained invaluable insights—both positive and negative. Our experiences span community management, engaging open-source contributors, navigating supply chain distribution, marketing open-source solutions, software licensing, engineering robust software, and ensuring long-term project maintenance. This presentation will share the lessons we've learned and how they have shaped our approach to cybersecurity and open source.