Privacy Policy

Welcome to CVEReports ("we," "our," or "us"). CVEReports is an AI-powered vulnerability intelligence platform that autonomously researches, analyzes, and generates comprehensive reports for Common Vulnerabilities and Exposures (CVEs) and GitHub Security Advisories (GHSAs).

We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, store, and share your information when you use our website and services. It also describes your rights regarding your personal data and how the law protects you.

We collect different types of information depending on how you interact with our platform:

Account Data

When you create an account, we collect information you provide directly:

• Email and password if you register via email sign-up
• Name and email if you sign in via Google OAuth
• Username and email if you sign in via GitHub OAuth

Usage Data

We automatically collect information about how you interact with our platform:

• Vulnerability reports you view
• Search queries you perform
• Pages visited and features used

Technical Data

We automatically collect certain technical information when you access our service:

• IP address
• Browser type and version
• Device type and operating system
• Timezone and general location
• Referring pages and exit pages

We use the information we collect for the following purposes:

• Service Delivery: To provide, operate, and maintain CVEReports, including account authentication and management.
• Improvement: To understand how users interact with our platform and improve its features, content, and user experience.
• Communication: To send transactional emails such as email verification, password resets, and service notifications.
• Security: To detect, prevent, and address technical issues, abuse, and unauthorized access.
• Legal Compliance: To comply with applicable laws, regulations, and legal processes.

Our AI pipeline processes publicly available vulnerability data from sources such as the National Vulnerability Database (NVD), GitHub Security Advisories, CISA KEV, ExploitDB, and others. The AI synthesizes this information into structured reports.

We do not use your personal data to train our AI models. The AI processes only publicly available vulnerability and security data.

We use the following types of cookies:

• Authentication Cookies: Essential cookies that keep you signed in to your account. Session cookies expire after 7 days of inactivity.
• Session Cookies: Temporary cookies that help maintain your session state while browsing. These are deleted when you close your browser.
• Preference Cookies: Cookies that remember your settings such as theme preference (light/dark mode).

We do not use advertising cookies or third-party tracking cookies for marketing purposes.

We integrate with the following third-party services to operate our platform:

• Google: OAuth authentication (sign-in) and Gemini AI models for report generation. Subject to Google's Privacy Policy.
• GitHub: OAuth authentication (sign-in) and Security Advisory data. Subject to GitHub's Privacy Statement.
• Resend: Transactional email delivery (email verification, password resets). Subject to Resend's Privacy Policy.

We do not sell your personal data. We may share your information only in the following limited circumstances:

• Service Providers: With third-party vendors that help us operate the platform (hosting, email, AI inference, authentication).
• Legal Obligations: When required by law, court order, or to protect our rights and safety.
• Business Transfers: In connection with a merger, acquisition, or sale of assets.

We retain your personal data only for as long as necessary to provide our services and fulfill the purposes outlined in this policy:

• Account Data: Retained while your account is active. Deleted within 30 days of account deletion.
• Usage Data: Retained for up to 90 days for analytics and security purposes.
• Session Cookies: Deleted when you close your browser or after 7 days of inactivity.

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

• Industry-standard encryption (TLS 1.3 in transit)
• Secure password hashing (bcrypt)
• Regular security audits and updates
• Limited access to personal data on a need-to-know basis

Depending on your jurisdiction (GDPR, CCPA, etc.), you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your personal data.
• Portability: Request a copy of your data in a machine-readable format.
• Objection: Object to processing based on legitimate interests.

To exercise these rights, please contact us using the form below.

CVEReports is not intended for children under 13 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

CVEReports is hosted on Vercel's infrastructure, which may process and store your data in the United States and other jurisdictions. By using our service, you consent to the transfer of your data to these locations.

Where we transfer data outside of the EU/EEA, we ensure appropriate safeguards are in place to protect your personal data in accordance with applicable data protection laws.

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date at the top of this page.

We encourage you to review this policy periodically to stay informed about how we protect your information.

If you have questions or concerns about this privacy policy or our data practices, please reach out to us: