vulnd console

Accounts

The corpus is public — you can read every CVE, CWE, and CPE without signing in. An account exists for two things: a higher rate limit, and notes that stick to records and travel with the corpus.

What an account gets you

  • The authenticated tier. Anonymous reads are throttled per IP at the edge; a signed-in session is metered against your account’s tier instead. See Limits.
  • Notes. Free-text annotations bound to a CVE / CWE / CPE record, scoped to your account and attributed to you.
  • One identity across surfaces. The same account signs you into the browser console and the vuln CLI.

Signing in

The console never sees your password. Sign-in happens on the daemon’s own hosted pages over OAuth 2.1:

  • Browser — the login flow redirects to the daemon, you authenticate there, and you’re returned with a session. The session lives server-side; your browser only holds an opaque, HttpOnly cookie.
  • CLIvuln login uses the device grant: it prints a code, you approve it in a browser, and the CLI caches a token it refreshes automatically.

See Auth for the protocol detail.

Two-factor

Accounts support a second factor — TOTP authenticator apps, WebAuthn / passkeys, and one-time recovery codes. Enrol and manage factors from the account area on the daemon. Once a factor is enrolled, sign-in requires it.

Attribution

Actions you take while signed in are attributed to you, not just your tenant: your reads count against your usage, and your meaningful actions (searches, record views, note writes) show up in your own activity log. Anonymous reads have no person to attribute to and are not logged that way.