Skip to content

Last8/Decentralized-Vulnerability-Registry-

BranchesTags

Repository files navigation

Decentralized Vulnerability Registry (DVR)

A blockchain-based alternative to the CVE (Common Vulnerabilities and Exposures) catalog that operates in a decentralized manner on the Polygon network.

Overview

Decentralized Vulnerability Registry (DVR) aims to provide the cybersecurity community with a censorship-resistant, transparent, and community-driven platform for sharing and validating security vulnerabilities. Unlike traditional centralized vulnerability databases, DVR cannot be shut down and is not controlled by any single entity, making it a truly open resource for security professionals worldwide.

Features

  • Decentralized Architecture: Built on Polygon blockchain for low fees and high throughput
  • Community Validation: Vulnerabilities are validated by multiple security professionals
  • Transparent Process: All submissions and validations are visible on the blockchain
  • Censorship Resistant: No central authority can remove or modify vulnerability data
  • Web3 Interface: Easy-to-use interface for submitting and accessing vulnerability data

Table of Contents

  1. Understanding the Basics
  2. Setting Up Your Wallet
  3. Getting Test Cryptocurrency
  4. Setting Up the Project
  5. Deploying the Smart Contract
  6. Configuring the Frontend
  7. Launching the Application
  8. Using the Application
  9. Troubleshooting
  10. Frequently Asked Questions
  11. Additional Resources
  12. Glossary
  13. Contributing
  14. License
  15. Contact

Understanding the Basics

What is a Decentralized Vulnerability Registry?

The Decentralized Vulnerability Registry (DVR) is similar to the Common Vulnerabilities and Exposures (CVE) catalog but operates on a blockchain. This means:

  • No single organization controls the database
  • It cannot be shut down or censored
  • The community validates and maintains the entries
  • All information is transparent and tamper-proof

Key Components

  1. Blockchain: We use Polygon (previously Matic), which is fast and has low transaction fees
  2. Smart Contract: Code that runs on the blockchain and stores vulnerability data
  3. Web Interface: How you'll interact with the smart contract
  4. Web3 Wallet: Software like MetaMask that connects you to the blockchain

Setting Up Your Wallet

Step 1: Install MetaMask

  1. Go to MetaMask.io
  2. Click "Download" and choose your browser
  3. Follow the installation instructions
  4. Create a new wallet by clicking "Create a Wallet"
  5. Write down your recovery phrase (keep this very secure and private!)
  6. Create a password

đź“ť Note: Never share your recovery phrase with anyone! Anyone with this phrase can access your wallet.

Step 2: Configure MetaMask for Polygon Mumbai Testnet

  1. Open MetaMask by clicking on the extension icon
  2. Click on the network dropdown at the top (it probably says "Ethereum Mainnet")
  3. Click "Add Network"
  4. Click "Add a network manually" at the bottom
  5. Enter the following details:
    • Network Name: Polygon Mumbai
    • New RPC URL: https://rpc-mumbai.maticvigil.com/
    • Chain ID: 80001
    • Currency Symbol: MATIC
    • Block Explorer URL: https://mumbai.polygonscan.com/
  6. Click "Save"

Getting Test Cryptocurrency

You need some test MATIC tokens to pay for transactions. These aren't real money - they're just for testing.

Step 1: Get Test MATIC from a Faucet

  1. Go to Mumbai Faucet
  2. Connect with your GitHub account or Alchemy account (create one if needed)
  3. Copy your MetaMask address by clicking on your account name in MetaMask
  4. Paste your address in the faucet website
  5. Click "Send Me MATIC"
  6. Wait a few moments and check your MetaMask wallet to confirm you received the test MATIC

Setting Up the Project

Method 1: Using GitHub Codespaces (Easiest for Beginners)

  1. Create a GitHub account if you don't have one
  2. Go to the DVR project repository (replace with actual URL when available)
  3. Click the green "Code" button
  4. Select "Open with Codespaces"
  5. Click "New codespace"
  6. Wait for the environment to load

Method 2: Local Setup

Step 1: Install Git

  1. Go to Git Downloads
  2. Download the version for your operating system
  3. Install with default settings

Step 2: Install Node.js

  1. Go to Node.js Downloads
  2. Download the LTS (Long Term Support) version
  3. Install with default settings

Step 3: Download the Project

  1. Open Command Prompt (Windows) or Terminal (Mac/Linux)
  2. Navigate to where you want to store the project: 
    cd Documents
  3. Clone the repository: 
    git clone https://github.com/yourusername/decentralized-vulnerability-registry.git
  4. Navigate into the project folder: 
    cd decentralized-vulnerability-registry
  5. Install dependencies: 
    npm install

Deploying the Smart Contract

We'll use Remix, an online IDE, to deploy our smart contract.

Step 1: Open Remix

  1. Go to Remix IDE
  2. You'll see a workspace with some example files

Step 2: Create the Smart Contract File

  1. In the "File Explorer" panel, click the "+" icon
  2. Name the file DecentralizedVulnerabilityRegistry.sol
  3. Copy the entire smart contract code from the vulnerability-registry-contract.sol file in the project
  4. Paste it into the new file in Remix

Step 3: Compile the Smart Contract

  1. Click on the "Solidity Compiler" tab (second icon on the left)
  2. Make sure the compiler version is set to 0.8.0 or higher
  3. Click "Compile DecentralizedVulnerabilityRegistry.sol"
  4. Wait for compilation to complete (you'll see a green checkmark)

Step 4: Deploy the Smart Contract

  1. Click on the "Deploy & Run Transactions" tab (third icon on the left)
  2. In the "Environment" dropdown, select "Injected Provider - MetaMask"
  3. MetaMask will prompt you to connect - click "Connect"
  4. Make sure your account is selected in the "Account" dropdown
  5. Click "Deploy"
  6. MetaMask will open - review the transaction and click "Confirm"
  7. Wait for the transaction to be confirmed (this may take a minute)
  8. Once deployed, you'll see the contract under "Deployed Contracts"
  9. Important: Copy the contract address (click the copy icon next to the contract name) - you'll need this later

Configuring the Frontend

Step 1: Create the Contract ABI File

The ABI (Application Binary Interface) is like a translation guide for your application to communicate with the smart contract.

  1. In Remix, go to the "Solidity Compiler" tab again
  2. Click the "ABI" button to copy the ABI to clipboard
  3. In your project folder, create a new file named contractABI.json
  4. Paste the copied ABI into this file
  5. Save the file

Step 2: Update the Contract Address

  1. Open the app.js file in your project
  2. Find this line: 
    const CONTRACT_ADDRESS = "YOUR_DEPLOYED_CONTRACT_ADDRESS";
  3. Replace YOUR_DEPLOYED_CONTRACT_ADDRESS with the address you copied from Remix
  4. Save the file

Launching the Application

Method 1: Using a Local Server

  1. In your command prompt or terminal, make sure you're in the project directory
  2. If you have Node.js installed, run: 
    npx http-server
  3. If you don't have Node.js, you can use Python:
    • On Windows (if Python is installed): 
      python -m http.server
    • On Mac/Linux: 
      python3 -m http.server
  4. Open your browser and go to http://localhost:8080

Method 2: Using GitHub Pages (Free Hosting)

  1. Push your project to GitHub (you can follow GitHub's guide for creating a repository)
  2. Go to your repository on GitHub
  3. Click on "Settings"
  4. Scroll down to "GitHub Pages"
  5. Under "Source", select "main" branch and "/root" folder
  6. Click "Save"
  7. Wait a few minutes, then visit https://yourusername.github.io/decentralized-vulnerability-registry

Using the Application

Connecting Your Wallet

  1. Open the application in your browser
  2. Click the "Connect Wallet" button
  3. MetaMask will open - click "Connect"
  4. Once connected, the button will change to "Connected"

Submitting a Vulnerability

  1. Fill out the submission form:
    • Title: A clear, descriptive name for the vulnerability
    • Description: Detailed explanation of the vulnerability, including how it works and potential impacts
    • Affected Systems: Software, hardware, or systems affected by this vulnerability
    • Severity Score: Rate from 1-10 (1 = minor, 10 = critical)
    • References: Add related links in JSON format, e.g., ["https://example.com/reference1", "https://example.com/reference2"]
  2. Click "Submit Vulnerability"
  3. MetaMask will open - confirm the transaction
  4. Wait for confirmation (may take 30-60 seconds on Polygon Mumbai)
  5. Once confirmed, your submission will appear in the vulnerability list

Validating a Vulnerability

  1. Find the vulnerability you want to validate in the list, or enter its ID in the "Vulnerability ID" field
  2. Click "Get Details" to view the full information
  3. Review the details carefully
  4. If the information is accurate and complete, click "Validate"
  5. MetaMask will open - confirm the transaction
  6. Wait for confirmation
  7. The vulnerability's validation count will increase

Browsing Vulnerabilities

  1. The main page displays recently submitted vulnerabilities
  2. Click "View Details" on any entry to see complete information
  3. Click "Refresh" to update the list with the latest submissions

Troubleshooting

MetaMask Won't Connect

  1. Make sure you're on the Polygon Mumbai network in MetaMask
  2. Try refreshing the page
  3. Check if your browser is blocking pop-ups
  4. Ensure MetaMask is unlocked (you've entered your password)

Transaction Failed

  1. Make sure you have enough test MATIC (at least 0.01 MATIC)
  2. Check if you're on the Polygon Mumbai network
  3. Try increasing the gas limit slightly in MetaMask advanced options
  4. Wait and try again - the network might be congested

Can't See Your Submission

  1. Click the "Refresh" button
  2. Check if your transaction was confirmed in MetaMask (under Activity)
  3. Verify your submission by searching for its ID in the validation section

Smart Contract Deployment Failed

  1. Make sure you're on the Polygon Mumbai network
  2. Check if you have enough test MATIC
  3. Try increasing the gas limit
  4. Make sure the contract compiles without errors

Frequently Asked Questions

General Questions

Q: Is this the same as the CVE database?
A: No, this is a decentralized alternative that uses blockchain technology to ensure no single entity controls the database.

Q: Do I need real money to use this?
A: For testing on Mumbai Testnet, you only need test MATIC, which has no real value. For a production deployment on Polygon Mainnet, you would need real MATIC.

Q: Can anyone submit vulnerabilities?
A: Yes, the system is open to all. However, submissions need community validation to be marked as verified.

Q: How is this different from a regular database?
A: Traditional databases can be altered or taken offline by their owners or by legal authorities. This decentralized version exists across many computers worldwide and cannot be censored or shut down.

Technical Questions

Q: What happens if I lose my wallet?
A: If you have your recovery phrase, you can restore your wallet. If not, you cannot recover it. However, the vulnerabilities you submitted will remain in the registry.

Q: How do I move this to the main Polygon network?
A: You would follow the same deployment steps but connect to Polygon Mainnet instead of Mumbai Testnet in MetaMask.

Q: Can I modify a vulnerability after submission?
A: No, blockchain data is immutable. You would need to submit a new vulnerability with updated information.

Q: How many validations does a vulnerability need?
A: Currently, a vulnerability needs 3 validations to be marked as verified.

Q: Is my personal information stored on the blockchain?
A: Only your Ethereum address is stored. No other personal information is required or stored.

Additional Resources

Learning More About Blockchain

Vulnerability Reporting

Developer Resources

Glossary

  • Blockchain: A distributed digital ledger that records transactions across many computers
  • Smart Contract: Self-executing code that runs on a blockchain
  • Gas: Fee paid to process transactions on a blockchain
  • MATIC: The native cryptocurrency of the Polygon network
  • Testnet: A blockchain network used for testing, separate from the main network
  • Mainnet: The main blockchain network where real transactions occur
  • ABI: Application Binary Interface - how you communicate with the smart contract
  • Web3: The next generation of the internet, built on blockchain technology
  • Decentralized: Not controlled by any single entity or organization
  • Wallet: Software that gives you access to your blockchain assets and identity
  • Faucet: A service that provides free test cryptocurrency
  • Transaction: Any action that changes the state of the blockchain
  • Node: A computer that participates in a blockchain network
  • Consensus: The process by which blockchain transactions are verified

Contributing

We welcome contributions from the security community! Please follow these steps to contribute:

  1. Fork the repository
  2. Create a feature branch (git checkout -b feature/amazing-feature)
  3. Commit your changes (git commit -m 'Add some amazing feature')
  4. Push to the branch (git push origin feature/amazing-feature)
  5. Open a Pull Request

Future Roadmap

  • IPFS integration for more detailed vulnerability information
  • Enhanced search and filtering capabilities
  • Integration with security tools via API
  • Cross-referencing with traditional CVE database
  • Mobile application development

License

This project is licensed under the MIT License - see the LICENSE file for details.

Disclaimer: This project is not affiliated with or endorsed by the CVE Program or MITRE Corporation.

About

Decenteralized Vulnerability Database on Blockchain

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published