Cybersecurity professionals who need to track the latest vulnerability exploits now have a new tool designed to make their job easier, with the launch today of VulnCheck XDB, a database of exploits and proof of concepts hosted on Git repositories.The tool, from cyberthreat intelligence provider VulnCheck, is aimed at helping vulnerability researchers and security teams prioritize vulnerabilities based on the availability and criticality of new exploits that have been made public.\u201cThere is a significant gap in exploit databases available today for modern security teams,\u201d said Anthony Bettini, CEO and founder of VulnCheck. \u201cThat's why we're excited to launch XDB. This complementary tool will be instrumental in helping researchers, offensive teams and detection engineers solve the vulnerability prioritization challenge and bolster security.\u201dVulnCheck XDB is an open, license-less service and is available to users at launch. It sources information from Git providers like GitHub, GitLab, and Gitee.Legacy exploit databases are slow, lack detailsA major shortcoming of legacy databases is the \u201csingle file\u201d model they are designed on, according to Bettini. Exploits these days are often projects with variety of functionalities, spanning multiple files like configuration files and command line interface files.\u201cThese multifile projects often appear on git repositories (like GitHub), and legacy databases don't support multiple files,\u201d Bettini said. \u201cUsually, when multiple files are involved, other exploit databases don't include it or fold all the files into a single ZIP file, making them unreadable on the websites.\u201dAnother drawback to legacy databases is that they are people curated exploit databases and are extremely slow to be relied on, Bettini said. VulnCheck, on the other hand, is offering an autonomous software system for tracking exploit and proof of concept code in real time.\u201cA problem with vulnerability databases today is that we only get basic information about the severity of the vulnerability (CVS scores) and effected version details,\u201d said Edouard Viot, vice president of product at GitGuardian, a provider of code security software. \u201cA working exploit can inform a business about the risk of their own infrastructure, or testing the efficiency of an existing security control.\u201dVulnCheck XDB features CVE indexingXDB will be hosted as an autotracking, complementary tool on VulnCheck\u2019s website and will feature the option to search by common vulnerabilities and exploits (CVE) IDs for discovering vulnerabilities with written exploits.The fact that it's well-linked to CVE-ID will be more interesting for organizations that have CVE alerts and want to assess their real risk, according to Viot.\u201cApplication makers only write 10% of their code, 90% of their attack surfaces are the framework that they use. These frameworks use sub-libraries with, on average, three vulnerabilities per year. So, an application maker has a lot of CVE to manage on their own application because of the dependencies. Having access to the exploitation code could help to do what we call an 'impact analysis',\u201d Viot said.There are other automatically updated programs designed to allow security professionals to check on new exploits, including from cybersecuirty comnpany Exploit DB \u2014 but VulnCheck also claims to cover exploits written in other countries or hosted on foreign sites, like Gitee. \u201cAt this time, we're unaware of any other exploit database making any attempt to track exploits written in foreign countries like China,\u201d Bettini said.