A vulnerability intelligence platform built for security teams who want to stay on top of threats without depending on expensive commercial tools. Zero Day Monitor scans security news in real-time, analyzes it with AI, and gives you a clear picture of what matters right now.
The project is licensed under AGPL-3.0. Every component, from the AI analysis pipeline to the trending algorithm, is designed to be transparent and auditable. No vendor lock-in, no black boxes, no hidden data collection.
The Trendingpage shows which vulnerabilities are getting the most attention from independent security sources right now. A single vendor advisory with one source is routine. Three independent sources reporting on the same CVE? That's worth paying attention to. The trending score also factors in CISA KEV status, EPSS exploit probability, SSVC decision points, and community votes.
On the Dashboard, switch between multiple sorting modes: Trending, Urgent, Newest, Critical, Weekly Urgent, and Weekly Trending. Each gives you a different perspective. "Urgent" prioritizes actively exploited vulnerabilities and critical severity with time decay. "Weekly Trending" shows what gained the most momentum over the past 7 days without time decay.
The Vulnerabilitiespage has full-text search and advanced filters. Filter by severity, CVSS range, EPSS range, vendor (including downstream affected vendors), CWE category, publication date, and vulnerability type (CVE, Pre-CVE, KEV). All filters combine, so you can find exactly what you need: "Critical Cisco vulnerabilities from the last 7 days with EPSS above 0.5".
As a registered user, you can build a vendor watchlist in your Preferences. Add the vendors whose products you use (Cisco, Microsoft, Fortinet, etc.) and the dashboard adapts: you get a personalized threat briefing, an attack surface overview, and patch coverage tracking for your specific stack. Supply-chain risks are included automatically. If a library your vendor depends on has a vulnerability, you'll see it.
Every day, the system generates a global threat briefing that summarizes what's happening in the vulnerability landscape. As a verifier, you also get a personalized vendor briefing tailored to your watchlist, with actionable recommendations: patch now, mitigate, or monitor. Both are available as 24-hour snapshots and 7-day weekly reviews with different perspectives. The daily briefing focuses on what's acute right now, the weekly one identifies patterns and looks ahead.
When a security article describes a new vulnerability but no CVE has been assigned yet, the system creates a Pre-CVE event. These are tracked separately and automatically reconciled once a CVE ID appears. As a verifier, you can confirm zero-days, link them to CVE IDs once assigned, and submit new ones that the automated pipeline missed.
Every vulnerability has community voting. Upvotes and downvotes signal how important or relevant the community considers a vulnerability, and the vote score directly influences trending rankings. Verifiers can go further: mark vulnerabilities as verified, corroborated, or flag them for admin review. They can also leave verification notes to provide context for other team members ("Confirmed in our environment", "Not applicable to our config"). Pin important vulnerabilities to your personal dashboard for quick access.
Every vulnerability has a version history. When new information comes in (a patch is released, the CVSS score is updated, the severity changes), the system creates a versioned snapshot with a changelog. You can see exactly what changed, when, and from which source. A data completeness indicator shows how much information is available for each vulnerability and what fields are still missing.
Registration is invite-only. An admin creates invite links for new users.
Browse all vulnerabilities, trending data, and news. Set up a vendor watchlist. Vote on vulnerabilities. Read global threat briefings. Use advanced search and filters.
Everything a user can do, plus: verify or flag vulnerabilities, link Pre-CVEs to real CVE IDs, confirm zero-days, submit new zero-day reports, leave verification notes, pin vulnerabilities, and access personalized vendor threat briefings. Verifiers work through a Review Queue of Pre-CVEs that need attention. When a verifier flags something as suspicious, it goes to the admin review queue. Verifiers are the backbone of data quality.
Full platform control. Make final false-positive decisions (which feed back into the algorithm to improve future accuracy), manage users and invites, configure the analysis pipeline, trigger data enrichment, and review flagged items. Admins also manage the LLM provider chain, system settings, and can regenerate threat briefings on demand.
Zero Day Monitor doesn't just collect data. It improves over time through a closed-loop feedback system:
Every article that enters the system gets a prefilter score. Articles below the threshold are dismissed as irrelevant.
When an admin marks a vulnerability as false positive, or a dismissed article turns out to be a real vulnerability (false negative), these signals are recorded with full context: the score breakdown, the algorithm version, and the feed tier.
A weekly feedback analyzer processes these signals and adjusts the prefilter weights. The adjustment is proportional: a single mistake causes a small correction, repeated patterns cause larger shifts. Weights have bounds to prevent degeneration.
Precision, recall, and F1 scores are tracked weekly. A daily false-negative auditor automatically detects dismissed articles that matched later-discovered CVEs. The goal: fewer false positives without missing real vulnerabilities.
Most vulnerability trackers show you that OpenSSL has a CVE. Zero Day Monitor goes further: it tracks which downstream vendors and products are affected. When a core library vulnerability drops, you see not just the component itself but also every vendor in the database that ships or bundles that component. If you watch "Red Hat" in your vendor list, you'll see OpenSSL vulnerabilities too, because Red Hat packages OpenSSL.
This data comes from CPE entries (NVD/VulnCheck), MITRE affected lists, GitHub Security Advisories, and BSI CSAF product trees. The threat briefings group supply-chain risks separately so you can see at a glance where your vendors are affected as a downstream dependency.
Not all security sources are equally reliable. The platform uses a 5-tier trust system based on the Admiralty Code. Higher-tier sources can overwrite data from lower tiers, but not the other way around. This prevents low-quality sources from corrupting authoritative data.
NVD, CVE API, CISA, Vendor PSIRTs (Microsoft, Cisco, Fortinet, Adobe)
BSI, CERT-EU, NCSC, JPCERT, AusCERT, CERT-FR
Project Zero, Rapid7, Talos, Qualys, Tenable, Wordfence
BleepingComputer, The Hacker News, SecurityWeek, Dark Reading
Zero Day Monitor is licensed under AGPL-3.0. The source code is not yet publicly available but will be shared with contributors and collaborators as the project grows, with a full public release planned for a later stage.
The platform is built with Next.js, PostgreSQL (with pgvector for semantic search), Redis, and a 7-provider LLM fallback chain that prioritizes free providers before paid ones. Self-hosting will be supported via Docker Compose once the source is published.
