Skip to content

Commit e46c440

Browse files
cedricbonhommeclaude
cedricbonhomme
and
claude
committed
chg: [documentation] Improved sightings definition and referenced the JSON schema.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent 0f81675 commit e46c440

1 file changed

Lines changed: 40 additions & 17 deletions

File tree

content/user-manual/sightings/index.md

Lines changed: 40 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -6,18 +6,40 @@ toc: true
66

77
## Presentation
88

9-
Users have the possibility to add observations to vulnerabilities with different types of sightings, such as: seen, exploited, not exploited, confirmed, not confirmed, patched, and not patched.
10-
11-
| Type | Description | Negative/Opposite |
12-
|----------------------------|------------------------------------------------------------------------------------------------|-------------------|
13-
| seen | The vulnerability was mentioned, discussed, or observed by the user. | No |
14-
| confirmed | The vulnerability has been validated from an analyst's perspective | Yes |
15-
| published-proof-of-concept | A public proof of concept is available for this vulnerability. | No |
16-
| exploited | The vulnerability was observed as exploited by the user who reported the sighting. | Yes |
17-
| patched | The vulnerability was observed as successfully patched by the user who reported the sighting. | Yes |
18-
19-
20-
You can find the corresponding definition of this MISP taxonomy
9+
A **sighting** is a structured observation tying a real-world signal to a specific vulnerability. It records that a user, automation tool, or external source observed, confirmed, exploited, or patched the vulnerability at a given point in time. Sightings let Vulnerability-Lookup capture context that does not appear in static advisories — chatter on social networks, publication of proofs of concept, observed exploitation, patching activity, and so on — and attach it to the vulnerabilities the platform already tracks.
10+
11+
The exact structure of a sighting is described by a JSON schema:
12+
[Sighting.json](https://vulnerability.circl.lu/static/schemas/CIRCL/Sighting.json).
13+
14+
### Fields
15+
16+
| Field | Type | Required | Description |
17+
|-------------------------------|-----------------------|----------|---------------------------------------------------------------------------------------------------|
18+
| `uuid` | UUIDv4 | yes | Unique identifier of the sighting (assigned by the server). |
19+
| `vulnerability_lookup_origin` | UUIDv4 | yes | Identifier of the Vulnerability-Lookup instance that produced the sighting. |
20+
| `author` | UUIDv4 | yes | Identifier of the author who created the sighting. |
21+
| `vulnerability` | string | yes | The vulnerability the sighting refers to (e.g. a CVE, GHSA, or other supported identifier). |
22+
| `type` | enum | yes | One of the sighting types listed below. |
23+
| `creation_timestamp` | date-time | yes | When the sighting was created. |
24+
| `source` | string (≤ 2048 chars) | no | Where the sighting comes from: a Fediverse status URI, a link, a tool name, a MISP event UUID, etc. |
25+
| `content` | string | no | Optional free-form description of the sighting. |
26+
27+
### Types
28+
29+
A sighting carries one of the following observation types:
30+
31+
| Type | Description |
32+
|------------------------------|------------------------------------------------------------------------------------------------|
33+
| `seen` | The vulnerability was mentioned, discussed, or observed by the reporter. |
34+
| `confirmed` | The vulnerability has been validated from an analyst's perspective. |
35+
| `not-confirmed` | The vulnerability could not be validated by the reporter. |
36+
| `published-proof-of-concept` | A public proof of concept is available for this vulnerability. |
37+
| `exploited` | The vulnerability was observed as exploited by the reporter. |
38+
| `not-exploited` | The vulnerability was checked by the reporter and found not to be exploited. |
39+
| `patched` | The vulnerability was observed as successfully patched by the reporter. |
40+
| `not-patched` | The vulnerability was checked by the reporter and found not to be patched. |
41+
42+
The corresponding MISP taxonomy is documented
2143
[here](https://www.circl.lu/doc/misp-taxonomies/#_sighting).
2244

2345

@@ -52,13 +74,14 @@ a Python library to access Vulnerability-Lookup via its REST API.
5274

5375
```json
5476
{
55-
"uuid": "f6ed692b-2656-4ce0-bcf1-eaf12dfe281d",
77+
"uuid": "d292fe1c-b3b8-4d88-984d-aaa3680c92ff",
5678
"vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd",
57-
"author": "8dfa6142-8c6d-4072-953e-71c85404aefb",
79+
"author": "9f56dd64-161d-43a6-b9c3-555944290a09",
80+
"vulnerability": "CVE-2026-3323",
5881
"type": "seen",
59-
"source": "https://infosec.exchange/users/cve/statuses/113389560858828548",
60-
"vulnerability": "CVE-2024-10312",
61-
"creation_timestamp": "2024-10-29T08:36:31.492184Z"
82+
"source": "https://infosec.exchange/users/certvde/statuses/116515547941636846",
83+
"content": "#OT #Advisory VDE-2026-048VEGA: Missing Authentication for critical function in VEGAPULS Bluetooth products\nVulnerable components expose sensitive information to unauthorized actors through an unsecured configuration interface. Vulnerable firmware releases contain an unsecured configuration interface that allows retrieval of sensitive information such as hashed credentials.#CVE CVE-2026-3323\nhttps://certvde.com/en/advisories/vde-2026-048/\n#CSAF https://vega.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-048.json",
84+
"creation_timestamp": "2026-05-04T09:16:09.070432Z"
6285
}
6386
```
6487

0 commit comments

Comments
 (0)