CVEHub is an automated service for monitoring security vulnerabilities (CVEs) operated by DC Digital Communication. By using the service, you accept these terms of use.
CVEHub imports publicly available vulnerability information (CVEs) from third-party sources (e.g. NVD, Ubuntu Security, GitHub) and compares it against the software packages specified by the user (SBOM). If a match is found, the user is notified by email. The service serves as a tool for detecting possible security issues.
The service is provided without any warranty. DC Digital Communication assumes no liability for:
No guarantee is given for complete monitoring, error-free detection, or uninterrupted operation. The service may be changed, restricted, or discontinued at any time without prior notice.
The user is responsible for the accuracy of the project and SBOM data they provide, as well as for the security of their account. Misuse of the service, in particular automated mass queries or sharing access credentials with third parties, is prohibited.
The service is available in various plans that differ in scope and price. Paid plans are billed monthly or annually in advance, either by credit card (Stripe) or in advance by bank transfer. For payment in advance, the booked plan is activated only after payment has been received.
Personal data is used exclusively for operating the service and is not disclosed to third parties unless required for the performance of the contract. Only the data necessary for operation is stored.
The payment service provider Stripe is used for payment processing. A Data Processing Agreement is in place with Stripe. Data may be transferred to countries outside the EU/EEA (in particular the USA); this is based on EU Standard Contractual Clauses or an equivalent level of protection.
Under the General Data Protection Regulation (GDPR), users have, in particular, the right to access, rectification, erasure, restriction of processing, data portability, and objection to the processing of their data. Requests regarding this should be directed to the contact address listed in the legal notice (Info page).
Personal data is stored only for as long as necessary to provide the service or to fulfill legal retention obligations. Details on data processing can be found in the separate privacy policy.
Paid subscriptions can be cancelled or downgraded to the free plan at any time. The booked plan remains active until the end of the already paid billing period.
DC Digital Communication reserves the right to change these terms of use at any time. Users will be informed of material changes by email.
CVEHub can help companies meet obligations arising from the NIS2 Directive (Directive (EU) 2022/2555) and the Cyber Resilience Act (Regulation (EU) 2024/2847) in the area of vulnerability management. However, use of the service does NOT constitute an assurance, certification, or legal confirmation of compliance with NIS2, the CRA, or other legal requirements.
Responsibility for compliance with all regulatory obligations (including reporting obligations, risk management, and documentation) remains entirely with the user or their company. CVEHub provides no advisory or warranty services in this regard.
No specific availability (SLA) is guaranteed unless expressly agreed separately.
As part of the CVE import, data is obtained from third-party sources outside the EU (e.g. NVD/NIST, GitHub, both based in the USA). This data consists of publicly available, non-personal security information.
Consumers have the option to use the European Commission's Online Dispute Resolution platform (ec.europa.eu/consumers/odr) to resolve disputes.
Austrian law applies. To the extent permitted by law, the place of jurisdiction is the registered office of DC Digital Communication.