Skip to main content

Get Started with VulnTrack

This guide will walk you through creating your first vulnerability entry, applying DREAD and STRIDE risk scores, and exploring the core features of VulnTrack.
This quickstart assumes you already have VulnTrack running. If not, follow the Installation Guide first.
1

Create Your Account

VulnTrack uses an invitation-only system for security. The first registered user becomes the System Administrator.

First User (Admin)

Navigate to the registration page:
http://localhost:3000/register
Fill in your details:
  • Name: Your full name
  • Email: Will be used for login
  • Password: Minimum 8 characters
The first user is automatically assigned:
  • Role: ADMIN
  • Team: A default team is auto-created (“My Organization”)
Subsequent users must be invited by an Admin through the Dashboard > Settings panel. Each invitation generates a single-use token.

Team Members

If you received an invitation link:
  1. Click the invitation link (format: /register?token=xxx)
  2. Complete the registration form
  3. You’ll be added to your team with the assigned role (Admin, Analyst, or Viewer)
Invitation tokens expire after the configured time period. Contact your admin if your token has expired.
2

Navigate to the Dashboard

After logging in, you’ll see the main dashboard with:
  • Summary Cards: Total vulnerabilities, critical issues, remediated count, and active users
  • Recent Activity Chart: Visualization of vulnerability trends
  • Top Risks: Critical and high-severity vulnerabilities
  • Recent Vulnerabilities: Your team’s latest entries
  • Quick Actions: Shortcuts to reports, user management, and settings
The dashboard automatically calculates real-time statistics from your vulnerability database.
3

Import a CVE (Recommended)

The fastest way to add a vulnerability is by importing an existing CVE with automatic data population.From the dashboard:
  1. Click Vulnerabilities in the sidebar
  2. Click Import CVE
Or navigate directly to: http://localhost:3000/dashboard/vulnerabilities/import

Search for a CVE

The CVE import page features autocomplete search:
// Start typing a CVE ID
CVE-2021-44228  // Log4Shell example
As you type (minimum 4 characters), VulnTrack will:
  • Search the CVE database in real-time
  • Display matching CVEs with descriptions, CVSS scores, and severity
  • Allow keyboard navigation (arrow keys + Enter)
VulnTrack fetches data from VulnCheck API (primary) and falls back to NIST NVD if unavailable.

Review the Preview

After selecting a CVE, VulnTrack displays:
  • Source badge: Shows whether data came from VulnCheck or NIST
  • KEV badge: Animated alert if the CVE is exploited in the wild
  • Title & Description: Auto-populated from CVE database
  • DREAD Calculator: Pre-filled based on CVSS metrics
The DREAD score is calculated using the formula from lib/scoring.ts:
// CVSS → DREAD mapping
damage = cvssScore >= 9 ? 10 : Math.ceil(cvssScore)
reproducibility = attackComplexity === "LOW" ? 10 : 5
exploitability = privileges === "NONE" ? 10 : 3
affectedUsers = scope === "CHANGED" ? 10 : 5
discoverability = attackVector === "NETWORK" ? 10 : 3

total = (damage + reproducibility + exploitability + affectedUsers + discoverability) / 5

Adjust DREAD Scores

Fine-tune the risk assessment for your environment:
  • Damage Potential (0-10): How severe is the impact?
  • Reproducibility (0-10): How easily can the exploit be reproduced?
  • Exploitability (0-10): How difficult is it to execute?
  • Affected Users (0-10): How many users/systems are at risk?
  • Discoverability (0-10): How easily can the vulnerability be found?
The total DREAD score updates in real-time as you adjust sliders.

Import the Vulnerability

Click Import Vulnerability to save it to your database. VulnTrack will:
  • Create a vulnerability record with status “OPEN”
  • Save DREAD scores to the database
  • Parse affected systems (CPE strings) from CVE data
  • Generate default mitigation steps
  • Auto-approve if you’re an Admin (Analysts require approval)
  • Redirect you to the vulnerability detail page
Approval Workflow: Vulnerabilities submitted by Analysts have status “PENDING” and are visible only to the creator and Admins until approved.
4

Create a Manual Vulnerability

For custom findings (like penetration test results), create vulnerabilities manually.From the dashboard:
  1. Click VulnerabilitiesAdd New
  2. Or navigate to: http://localhost:3000/dashboard/vulnerabilities/new

Fill in Basic Information

The form is located in src/components/vulnerability/VulnerabilityForm.tsx:
// Required fields
title: string         // e.g., "SQL Injection in Login Form"
description: string   // Detailed explanation of the vulnerability
severity: enum        // CRITICAL | HIGH | MEDIUM | LOW | INFO
status: enum          // OPEN | IN_PROGRESS | REMEDIATED | ACCEPTED

Calculate DREAD Score

Use the DREAD Calculator on the right side of the form:
Damage: 9              (Can access entire database)
Reproducibility: 10    (Works every time)
Exploitability: 7      (Requires SQL knowledge)
Affected Users: 8      (All application users)
Discoverability: 6     (Requires code review)

Total DREAD Score: 8.0

Apply STRIDE Classification

Check applicable threat categories:
  • Spoofing: Can attacker impersonate users?
  • Tampering: Can data be modified without authorization?
  • Repudiation: Can actions be performed without audit trail?
  • Information Disclosure: Can sensitive data be exposed?
  • Denial of Service: Can services be disrupted?
  • Elevation of Privilege: Can attacker gain unauthorized access?
The STRIDE model (from src/components/scoring/StrideClassifier.tsx) stores boolean flags:
{
  spoofing: boolean
  tampering: boolean
  reputation: boolean  // Repudiation in the schema
  informationDisclosure: boolean
  denialOfService: boolean
  elevationOfPrivilege: boolean
}

Submit the Vulnerability

Click Create Vulnerability. The form calls this server action from src/app/actions/vulnerabilities.ts:
export async function createVulnerability(data: any) {
  // Validates session and team membership
  // Auto-creates team for first-time admins
  // Sets approvalStatus: ADMIN → APPROVED, ANALYST → PENDING
  // Saves DREAD and STRIDE scores to respective tables
  // Logs audit trail
  // Returns created vulnerability
}
5

Manage the Vulnerability

After creation, you’ll see the vulnerability detail page with comprehensive information.

Key Actions

Top Action Bar:
  • Share: Copy link to clipboard for team collaboration
  • Mark as Resolved: Toggle status between OPEN and RESOLVED
  • Approve (Admins only): Approve pending submissions from Analysts
  • Notifications: Enable/disable alerts for this vulnerability
Status Information Panel:
  • Current status with color-coded indicator
  • Discovery and last updated timestamps
  • Assigned To: Admins can click to assign team members
  • Priority badge (auto-calculated)

Assignment Workflow

Admins can assign vulnerabilities to team members:
// From src/app/actions/vulnerabilities.ts
export async function assignVulnerability(vulnerabilityId: string, assigneeId: string | null) {
  // Creates notification for assignee
  // Sends email with vulnerability details
  // Updates vulnerability record
  // Logs audit trail
}
The assignee receives:
  • In-app notification: Shows in notifications panel
  • Email notification: With direct link to vulnerability

Add Comments

Scroll to the Comment Section to collaborate:
  1. Type your comment in the text area
  2. Click Post Comment
  3. Comments appear with author name and timestamp
  4. All team members can view comments on approved vulnerabilities
Comments are stored in the Comment model:
model Comment {
  id              String        @id @default(uuid())
  content         String
  userId          String
  vulnerabilityId String
  createdAt       DateTime      @default(now())
}

Update Status

Track remediation progress:
  1. Click Mark as Resolved when fixed
  2. Status changes to “RESOLVED”
  3. Audit log records the status change
  4. Dashboard statistics update automatically
Available statuses (from schema.prisma):
  • OPEN: Newly discovered
  • IN_PROGRESS: Currently being fixed
  • REMEDIATED: Fix has been applied
  • ACCEPTED: Risk accepted, no fix planned
  • RESOLVED: Fully resolved
6

Generate a Report

Export vulnerability data for stakeholders.
  1. Go to DashboardQuick ActionsExport Report
  2. Or navigate to: http://localhost:3000/dashboard/reports

Select Export Format

VulnTrack supports two formats:
- Executive summary
- Vulnerability tables with DREAD/CVSS scores
- Professional formatting for presentations
- Generated using jsPDF and jsPDF-AutoTable

Filter Options

Customize your report:
  • Date Range: Vulnerabilities created within time period
  • Severity: Filter by CRITICAL, HIGH, MEDIUM, LOW, INFO
  • Status: Include only specific statuses
  • Assigned To: Filter by team member
Click Generate Report to download the file.

What’s Next?

Invite Team Members

Generate invitation links and manage user roles

Configure Email

Set up email notifications for your team

Understand Roles

Learn about Admin, Analyst, and Viewer permissions

API Reference

Integrate VulnTrack with external tools

Common Workflows

For bulk imports, you can:
  1. Use the CVE import page repeatedly (each import takes ~5 seconds)
  2. Build a custom script using the importCve server action
  3. Use the API endpoint (if enabled in your deployment)
Example script structure:
const cveIds = ['CVE-2024-1234', 'CVE-2024-5678']

for (const cveId of cveIds) {
  const result = await importCve(cveId)
  if (result.success) {
    await createVulnerability({ ...result.data })
  }
}
Recommended daily workflow for security teams:
  1. Morning Review: Check dashboard for new vulnerabilities
  2. Prioritize: Sort by DREAD score and CVSS
  3. Assign: Distribute to appropriate team members
  4. Track: Monitor status changes throughout the day
  5. Review: Check resolved vulnerabilities before closing
For Admins managing Analyst submissions:
  1. Navigate to Vulnerabilities page
  2. Filter by Approval Status: PENDING (if filter exists)
  3. Click on each pending vulnerability
  4. Review DREAD scores and description
  5. Click Approve Vulnerability if valid
  6. Or comment with feedback if changes needed
Security Reminder: VulnTrack stores sensitive security data. Always:
  • Use strong passwords
  • Enable HTTPS in production
  • Keep PostgreSQL access restricted
  • Regularly backup your database
  • Review audit logs for suspicious activity

Need Help?

Join the Community

Report issues, request features, or contribute to the project on GitHub

Build docs developers (and LLMs) love

Get started for freeTalk to us