June 2026
SBOM upload — five-layer hardening for malformed / huge / deeply-nested files
Concentric defenses on the /v1/sbom/scan upload path. (1) Content-Length pre-check rejects oversized uploads before the read. (2) The read itself is capped to SBOM_MAX_BYTES+1 so a lying body can't sneak past. (3) Filename is sanitised — basename only, ../, NUL, and control bytes stripped, 255-char cap, so nothing weird flows into the format detector or audit log. (4) Parser failures broaden to catch RecursionError (deeply-nested adversarial JSON), MemoryError (billion-laughs-style blowups), and stray decode errors — all map to 400/413 instead of 500. (5) Post-parse filter drops purls / versions over 1024 chars or carrying control bytes, then caps total component count per call (5k anonymous, 20k authenticated). A new components_truncated field in the response tells the caller how many rows were dropped so they can decide whether to split the SBOM. 14 unit tests cover both helpers.
SBOM scan — 3 free anonymous scans per IP + helpful 401 with signup info
/v1/sbom/scan previously required an API key on the first call, returning a terse "missing bearer token" 401 with no hint at the fix. Anonymous callers now get 3 lifetime scans per IP (check-packages is 50), and the response carries a trial { used, limit, remaining } block. After exhaustion the 401 body becomes { error: "free_trial_exhausted", message, signup_url, docs_url } so callers know exactly what to do. The cap is tighter than check-packages because SBOM parse + bulk vuln JOIN is materially more expensive per call. /api docs updated with the new behaviour + sample response.
About page — CISA KEV / FIRST EPSS added to the data-sources table
The "data sources" table at the bottom of /about now lists CISA Known Exploited Vulnerabilities and FIRST EPSS, with their daily cadence and upstream links. Visitors can audit where the kev / epss fields in our responses come from. The sample-response JSON on the same page also now shows both fields.
CISA KEV + FIRST EPSS signals on check-packages / SBOM responses
The new daily kev-epss collector pulls CISA Known Exploited Vulnerabilities (~1.1k entries) and FIRST EPSS scores (~250k CVEs) into ai_signals. /v1/ai/check-packages and /v1/ai/sbom-scan now return kev (boolean) and epss (0..1) per advisory. KEV=true or EPSS≥0.5 escalates the verdict to high regardless of base CVSS — Standard-tier consumers automatically catch "low CVSS but already being exploited" advisories. Sort order also changes to KEV → EPSS → CVSS so truncated clients (read only vulns[0]) get the right top hit.
Data milestone — crossed 500k AI datasets
Total collected AI datasets crossed 500,000 for the first time. Auto-emitted by the scheduler.
Data milestone — crossed 500k AI models
Total collected AI models crossed 500,000 for the first time. Auto-emitted by the scheduler.
Data milestone — crossed 250k vulnerabilities
Total collected vulnerabilities crossed 250,000 for the first time. Auto-emitted by the scheduler.
Footer — partnership & service contact line added
A third slot alongside copyright and bug-report. mailto: link in font-mono; wraps cleanly on narrow viewports.
Comprehensive ko/en drift fix across account, auth, connect, api, admin pages
About twenty pages where /en/* mirrors leaked Korean strings are now fully bilingual. 90+ new i18n keys; ko/en check is now a standing rule for every page edit.
Package matching — auto-normalise crates.io / RubyGems / Go user input to purl-spec canonical types
User input like pkg:crates.io/tokio now resolves against pkg:cargo/tokio internally. Closes a silent false-negative gap.
May 2026
Reachability prompt split — members-only Standard + Reachability (§11)
Even with a CVE present, downgrade to advisory when the user's code path doesn't reach the affected function.
MCP servers — scope drift detection + pkg:mcp/ identifier support
Silent capability elevation in minor releases is surfaced via the new mcp.scope_drift response field.
AI dataset gating — pkg:data// covers license + PII signals in the unified gate
Full Hugging Face dataset catalogue mirrored. License + PII alongside model weights_format in one gate.
SBOM merge gate — coverage_ratio in response + self-SBOM at /sbom.cdx.json
Coverage ratio surfaced on lockfile scan responses; VDB's own SBOM published for external verification.