Privacy Policy

Overview

vuln.today is a publicly accessible CVE vulnerability tracker. The service is designed to be used without registration. Authentication is optional and exists solely to enable personalization features such as the tag watchlist and personalized feed.

We are committed to minimizing data collection. We do not collect, store, or process any personal data beyond what is strictly necessary for account functionality.

What Data We Store

When you create an account (sign in), the following information is stored in our database:

  • Firebase UID - a unique identifier assigned by Firebase Authentication. This is an opaque string, not personally identifiable on its own.
  • Email address - provided by your authentication provider (Google, GitHub, or email/password). Used for display purposes only.
  • Display name - provided by your authentication provider. Used for display in the navigation bar.
  • Avatar URL - a link to your profile picture from your authentication provider (e.g., Google profile photo).
  • Authentication provider - which method you used to sign in (Google, GitHub, or email).
  • Account creation date and last login timestamp.
  • Watchlist data - which vulnerability tags you have chosen to follow. This is a list of tag IDs, not personal data.

We do not store passwords, payment information, IP addresses, browsing history, cookies beyond the session cookie, analytics data, tracking pixels, or any other personal data. We do not use any third-party analytics or advertising services.

Firebase Authentication (Third-Party Service)

Authentication is handled by Google Firebase Authentication, a service provided by Google LLC. When you sign in, Firebase processes your authentication credentials on Google's infrastructure.

What Firebase stores and manages:

  • Authentication credentials - Firebase securely stores your password hash (for email/password accounts) or OAuth tokens (for Google/GitHub sign-in). We never have access to your actual passwords.
  • User record - Firebase maintains its own user record with UID, email, display name, photo URL, provider data, and account status.
  • Session tokens - Firebase issues and manages session cookies. These are cryptographically signed by Google's servers. We use HttpOnly, Secure, SameSite=Lax cookies with a 5-day expiration.
  • Security logs - Firebase may log authentication events (sign-in, sign-out, failed attempts) for security purposes on Google's infrastructure.

Firebase Authentication is governed by Google's Firebase Terms of Service and Google's Privacy Policy.

vuln.today uses Firebase solely for authentication. We do not use Firebase Analytics, Firebase Crashlytics, Firebase Cloud Messaging, or any other Firebase services that could collect additional user data.

No Personal Data Processing

Beyond the minimal account information listed above, vuln.today does not collect, process, or store any data that constitutes personal data under GDPR or similar regulations.

  • We do not track your browsing behavior on the site
  • We do not use cookies for tracking or advertising purposes
  • We do not share any data with third parties (beyond Firebase for authentication)
  • We do not build user profiles for marketing or advertising
  • We do not use analytics services (no Google Analytics, no Plausible, no Mixpanel)
  • We do not store IP addresses or access logs with user identifiers
  • The only cookie used is the __session authentication cookie, which is strictly functional

Cookies

vuln.today uses a single cookie:

Name Purpose Duration Type
__session Authentication session (Firebase session cookie) 5 days Strictly necessary

This cookie is only set when you sign in. It is HttpOnly (not accessible to JavaScript), Secure (only sent over HTTPS), and SameSite=Lax (not sent with cross-site requests). No tracking or advertising cookies are used.

Additionally, localStorage is used for UI preferences (theme choice, CVE view mode). These are purely local to your browser and never sent to our servers.

Data Retention

Your account data is retained for as long as your account exists. You can delete your account at any time from the Settings page.

When you delete your account:

  • All your data is permanently removed from our database (user record, watchlist items)
  • Your Firebase Authentication account is permanently deleted from Google's systems
  • Your session cookie is invalidated
  • This action is irreversible

Your Rights

You have the right to:

  • Access - view all data associated with your account on the Settings page
  • Delete - permanently delete your account and all associated data from the Settings page
  • Portability - your watchlist data (tag IDs) is available via the /api/watchlist API endpoint
  • Withdraw consent - sign out and delete your account at any time

To exercise any of these rights or for privacy-related questions, contact us at [email protected].

Infrastructure & Third-Party Services

The following third-party services are used in the delivery of vuln.today:

  • Cloudflare - CDN and DDoS protection. Cloudflare may process your IP address and request headers as part of its service. See Cloudflare Privacy Policy.
  • Firebase Authentication - user authentication (described above).
  • Tailwind CSS CDN, Alpine.js CDN, Chart.js CDN - frontend libraries loaded from CDN. These CDN providers may log access in their server logs.

Changes to This Policy

We reserve the right to update this privacy policy at any time. Changes will be reflected on this page with an updated date. Continued use of the service constitutes acceptance of the updated policy.

Last updated: March 16, 2026

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy