Slooth is an advanced vulnerability management system designed to help organizations stay ahead of security threats. By leveraging the Python NVD API wrapper and a REST API, Slooth fetches and organizes data about Common Vulnerabilities and Exposures (CVEs). It provides a unique identifier, the CVE ID, for stakeholders to discuss and research specific vulnerabilities.

Watch the Demo

Slooth is built with Python 3 and Flask, and uses a frontend created with HTML, CSS, and JavaScript. It uses OpenCVE's REST API for querying CVEs and manages data across 9 database tables:

• Company Table: Stores registering organization’s information
• System Log Table: Logs all user activities
• Vendor Table: Stores vendor names in the company's inventory
• Product Table: Keeps record of vendor systems in the company's inventory
• Work_log Table: Logs vulnerabilities assigned to engineers
• Added_CVE Table: Stores vulnerabilities added to the inventory
• Comments Table: Stores engineering notes for each CVE
• Temp_account Table: Manages new accounts with temporary passwords or password reset accounts
• Users Table: Keeps record of all user accounts

• Nvdlib
• datetime
• secrets
• RE
• flask_session
• flask_wtf
• json
• string
• Jinja2
• functools

1. Create a user account; it's recommended to also create an engineer account for IT security personnel. A temporary password will be sent to the user's email upon account creation.
2. Add all systems in the environment to the account for tracking.
3. Start searching for CVEs using one of the multiple query options available.
4. Add relevant CVEs to your organization's inventory using an administrator account.
5. Assign CVEs to engineers through the ticketing system and track progress through the dashboard.

• CVE Search: Input a specific CVE number or a date range for a list of CVEs within the specified period (maximum 120 days). For more targeted results, add keywords to your date range query.
• Adding Systems: Use Slooth as a ticketing system to track and assign CVEs to security engineers. Administrators can view all unassigned vulnerabilities in the dashboard and assign them accordingly.
• Dashboard: Provides a comprehensive view of your organization's vulnerabilities and their status, as well as ticket assignments per engineer.

• Admin password reset feature
• News feed dashboard with recently released CVEs relevant to clients
• Email/text notification of CVEs
• Group ticket assignment feature
• Transition from CS50 SQL to SQL Alchemy
• Server deployment
• Mobile app alternative
• Expanded ticketing form for work file uploads and additional user input
• Revamped dashboard with statistical details (e.g., average resolution time, scorecard based on CVE severity, and more)
• Improved search algorithm
• "Bypassing" API date range limitations

Contributions, issues, and feature requests are welcome! Feel free to check [issues page](link to the issues page).