OpenVOC

OpenVOC

Vulnerability Management Platform — User Manual

OpenVOC is an open-source platform designed to help organisations track, qualify and communicate about public software vulnerabilities — from automated ingestion to group-level remediation tracking.

PHP 8.1+ MVC MariaDB CycloneDX SBOM Open Source

What is OpenVOC?

OpenVOC is a vulnerability management platform that aggregates public security advisories from sources such as CERT-FR, CISA KEV and EUVD (ENISA), qualifies them into structured records called Publiflaws, and distributes them to relevant teams via email notifications with one-click remediation status buttons.

Unlike heavyweight commercial tools, OpenVOC is intentionally lightweight: it focuses on communication and tracking rather than active scanning. Groups subscribe to products, receive targeted alerts, and report back their remediation state — all without any agent.

Automated Ingestion

Connectors pull advisories from official sources on a schedule and push them into the review queue.

Targeted Notifications

Each group only receives alerts about the products it subscribes to, reducing noise.

Remediation Tracking

Groups update patch status via one-click email buttons. Progress is aggregated on the dashboard.

Modular Architecture

Pluggable connectors feed Publiflaws (CERT-FR, CISA…) and Sysflaws (CMDB, scanners). New sources integrate without modifying the platform core.

Hierarchical RBAC

Groups can have sub-groups. A group has visibility over its own data and all its sub-groups', enabling fine-grained access delegation.

Configurable Workflow

Remediation states, labels, colours and progress % are fully configurable by administrators — tailor the process to your organisation.

Key Concepts

Publiflaw

A structured vulnerability record derived from a public advisory. Contains title, severity, CVE/CWE identifiers, affected product, description and remediation guidance. Lifecycle: pending review → validated → sent → ignored.

Group

A team or organisational unit that tracks one or more products. Groups receive email notifications when a publiflaw affects their subscribed products, and report their remediation state per publiflaw.

Product

A software component or application (e.g. Apache HTTP Server) belonging to a vendor. Groups subscribe to products to receive relevant alerts. Products carry CycloneDX SBOM metadata (PURL, license, component type).

Asset

A physical or virtual device (server, workstation, container…) belonging to a group. Assets link to installed products and support CycloneDX SBOM import/export.

Group State

Remediation status a group assigns to a publiflaw (e.g. No Information, In Progress, Patched). Configurable by admins with a progress percentage (0–100%) used in dashboards.

Connector

An automated data source that fetches and parses public security advisories (CERT-FR Alertes, CERT-FR Avis, CISA KEV, EUVD ENISA). Runs on a cron schedule, pushes entries to the review queue.

Sysflaw

A vulnerability at OS level detected via an external CMDB connector (e.g. a CVE from a Nessus scan). Linked directly to assets rather than products.

SBOM

Software Bill of Materials in CycloneDX 1.6 format. OpenVOC can export an asset's component list as a SBOM JSON and import SBOM files to enrich asset/product data.

Publifaille / Publiflaw

A Publiflaw is a structured vulnerability bulletin derived from a public advisory (CERT-FR, CISA KEV, EUVD ENISA…). It is linked to a software product and triggers targeted notifications to groups subscribed to that product. Its lifecycle — pending review, validated, sent — is managed by analysts. The remediation states groups assign to it (e.g. in progress, patched) are fully configurable.

Sysfaille / Sysflaw

A Sysflaw is a vulnerability detected directly on an asset (server, workstation, container…), typically reported by a CMDB connector or scanner (e.g. Nessus). It is linked to the affected machine rather than to a software product, and represents the technical dimension of remediation — complementary to the organisational dimension of the Publiflaw.

Publiflaw Workflow

Every vulnerability managed in OpenVOC follows a structured three-phase lifecycle: Alerting, Identification, and Remediation. The diagram below shows how a publiflaw travels from creation to full resolution for every impacted member.

Phase 1

Alerting

  • An analyst creates or validates a publiflaw from the review queue.
  • The analyst clicks Send Now and selects recipient groups.
  • OpenVOC emails all members whose group subscribes to the affected product.
Phase 2

Identification

  • Each member checks whether their infrastructure includes the affected product.
  • If not affected: update status to Not Affected — no further action needed.
  • If affected: add every asset running the product to OpenVOC, then create a sysflaw for each vulnerable system.
Phase 3

Remediation

  • Members apply patches or mitigations to each vulnerable asset.
  • Every sysflaw linked to the publiflaw must be marked remediated.
  • Once all sysflaws are resolved, the member's publiflaw status can be set to Patched.

Identification decision tree

When a member receives a publiflaw notification, they should follow this decision path:

Publiflaw notification received

Does your group use the affected product?

NO — not affected
  1. 1 Confirm that none of your assets run the affected product or version.
  2. 2 Update your group's publiflaw status to Not Affected or the equivalent configured state.
  3. 3 No sysflaw needs to be created. The publiflaw is closed for your group.
YES — affected
  1. 1 Identify every asset in your infrastructure that runs the affected product.
  2. 2 Add each asset to OpenVOC (if not already present) under your group.
  3. 3 Create a sysflaw for each vulnerable asset, linking it to the publiflaw.
  4. 4 Apply patches or mitigations and mark each sysflaw as remediated as you go.
  5. 5 Once all sysflaws are resolved, set your group's publiflaw status to Patched.

Publiflaw complete for your group — all associated sysflaws are remediated and the group status is set to a terminal state (e.g. Patched or Not Affected).

Sysflaw vs Publiflaw status: a publiflaw tracks organisational remediation at group level. A sysflaw tracks technical remediation at asset level. Both must reach a resolved state for a complete remediation picture.
Configurable workflow: remediation states (in progress, patched, not affected…) are fully configurable by administrators — FR/EN labels, email button colour and progress percentage. Tailor the treatment process to your organisation via Administration → Group States.

User Roles

OpenVOC has three roles with cumulative permissions:

Member
  • View their group's publiflaws
  • Update remediation status
  • View their group's assets
  • Receive email notifications
Analyst
  • All member permissions
  • Review & validate publiflaws
  • Create & edit publiflaws
  • Send notifications to groups
  • Manage products & vendors
  • Manage assets & SBOM
Administrator
  • All analyst permissions
  • Manage users & groups
  • Manage connectors
  • Configure group states
  • Manage crontab & SMTP
MEMBER

Member Guide

As a member, you belong to one or more groups. Your view of OpenVOC is focused on the vulnerabilities that matter to your team, the assets you manage, and the remediation actions you need to take.

Dashboard

The dashboard is your home page after login. It shows:

  • Summary counters — total publiflaws sent to your groups, how many are fully resolved, and how many remain open.
  • Progress bars per publiflaw — average remediation progress across all your groups. Green = 100% resolved, yellow = in progress, red = not started.
  • Severity breakdown — quick view of critical/high/medium/low publiflaws affecting your groups.

My Publiflaws

My Space → My Publiflaws lists all vulnerabilities sent to at least one of your groups. For each publiflaw you can see:

  • Title, severity, affected product(s) and CVE identifier.
  • Your group's current remediation state (e.g. No Information, In Progress, Patched).
  • A status-change dropdown to update your group's state directly from the list.

The list can be filtered by Severity, Group (if you belong to multiple groups), and My Status to focus on what needs attention.

Tip: If you belong to multiple groups, each group has its own independent state per publiflaw. Update each one separately from the publiflaw detail page.

My Sysflaws

My Space → My Sysflaws shows system-level vulnerabilities detected by an external CMDB connector and linked directly to your group's assets. Unlike publiflaws (product-based), sysflaws target specific machines.

My Assets

My Space → My Assets displays devices (servers, workstations, containers…) belonging to your group, with state, IP address, hostname, and count of installed software products.

Email Notifications & One-Click Actions

When an analyst validates and sends a publiflaw, your group receives a structured email containing:

  • Severity banner — coloured header showing severity level and vulnerability title.
  • Risk indicators table — CVSS score, CVSS vector, and tri-state flags for patch availability, workaround, proof-of-concept, active exploitation, CISA KEV, and CERT-FR alert status.
  • Content sections — description, impacts, and solutions/remediation (only shown when populated).
  • Affected products — bullet list of products and versions concerned.
  • Identifiers — CVE, EUVD, CWE, source reference, publication date, and external link.
  • One-click action buttons — one per configurable remediation state.
  • A link to the full publiflaw detail page.

Clicking an action button instantly updates your group's state — no login required. Each button contains a unique, time-limited, single-use token consumed on click. Tokens expire after 30 days.

Each token can only be used once. To change your answer, log in and update the status from the publiflaw detail page.
ANALYST

Analyst Guide

Analysts qualify incoming vulnerability data and decide which groups should be notified. They control the full editorial lifecycle of publiflaws.

Review Queue

Analyst → Review Queue lists all publiflaws in pending_review state. A red badge in the sidebar shows the count. For each entry you can:

  • View the full detail (title, description, CVE, CVSS, impacts, solutions).
  • Edit the record to fix data quality issues before sending.
  • Validate — moves to validated state and assigns it to all groups subscribed to the affected product.
  • Ignore — marks as irrelevant; disappears from the queue without notifying anyone.

Creating a Publiflaw Manually

Use Analyst → Create Publiflaw to add a vulnerability not picked up by a connector.

Field Required Notes
TitleShort, descriptive vulnerability title.
ProductAffected product from the catalog. Determines which groups are notified.
SeverityCritical / High / Medium / Low / Info.
CVEOne or more CVE identifiers, comma-separated.
CVSS ScoreNumeric score 0.0–10.0.
DescriptionWhat is vulnerable and why it matters.
ImpactsPotential impact if exploited.
SolutionsRecommended patch or mitigation steps.
Published DateOriginal advisory publication date.
External LinkURL to the original advisory.
CISA KEV / CERT-FR flagsIndicate presence in those databases.

Validate & Send

Pending Review Validate → Validated Send Now → Sent

After validation, go to the publiflaw detail page and click Send Now. Choose which groups to notify and optionally add extra email addresses. The system generates one-click action tokens per state per group and dispatches the email.

Re-sending: You can send a publiflaw multiple times (e.g. after editing or adding new groups). Each send generates fresh tokens.

Products & Vendors

Analyst → Products is the software catalog. Each product is linked to a vendor and can carry a version, CPE, PURL, component type, license and description. Products determine which groups are notified when a publiflaw is validated — only groups subscribed to the affected product receive the alert.

Creating or editing a product requires at least the Analyst role. Group subscription is configured on the product edit page.

Assets & SBOM

Analyst → Assets manages the device inventory. Each asset detail page provides a component table, an affected-publiflaws panel, SBOM export and SBOM import.

CycloneDX Import — Component Resolution Order

  1. 1
    PURL exact matchComponent has a PURL matching an existing product.
  2. 2
    Name + Vendor matchSearch by product name and vendor name.
  3. 3
    Name-only matchFalls back to name without vendor.
  4. 4
    Create new productNew product (and vendor if needed) created automatically.
ADMIN

Administrator Guide

Administrators configure the platform, manage all users and groups, maintain the product and asset catalog, and control system-level settings.

Users

Administration → Users lists all platform accounts. You can create, edit, suspend and delete users. A user can belong to multiple groups and holds one primary role (member, analyst, or administrator).

Assign analyst to team members who qualify vulnerabilities, and administrator only to platform managers.

Groups

Groups represent organisational units. Each group has a name, notification email, language preference (FR/EN), optional parent group, and a list of subscribed products.

Deleting a group removes all its publiflaw states. Export data or reassign publiflaws before deletion.

Connectors

Administration → Connectors shows the list of data source connectors. Each connector has a status toggle, a Run Now button, and a Logs link. Only administrators can enable/disable or run connectors.

Connector Source Type
CERT-FR Alertescert.ssi.gouv.fr/alerteCritical advisories (French NCSC)
CERT-FR Aviscert.ssi.gouv.fr/avisGeneral advisories (French NCSC)
CISA KEVcisa.gov/known-exploited-vulnerabilities-catalogKnown Exploited Vulnerabilities
EUVD ENISAeuvd.enisa.europa.euEuropean Union Vulnerability Database (ENISA)

Connectors are scheduled via Administration → Crontab. Recommended: run fetch+parse once per day (e.g. 0 6 * * *).

Group States

Administration → Group States defines the possible remediation states. For each state: internal slug (immutable), EN/FR label, progress % (0–100), and button colour for email notifications.

A state in use cannot be deleted. Reassign all groups first.

Crontab

Administration → Crontab manages connector scheduling. Add connectors with preset expressions, view parsed entries, or edit the raw crontab directly.

0 6 * * *   php /path/to/cli/connector.php run cert-fr_alerte fetch && \
            php /path/to/cli/connector.php run cert-fr_alerte parse

Email Settings

Settings → Email Settings configures the SMTP server. Settings are stored in the database and editable at runtime. Use the Send Test Email button to verify the configuration.

Setting Description
SMTP EnabledMaster on/off. When off, emails are logged only.
SMTP Host / PortMail server address and port (587 STARTTLS or 465 SSL).
Username / PasswordSMTP credentials. Password stored AES-256 encrypted.
From Email / NameSender address displayed to recipients.
App URLBase URL of your OpenVOC instance — used to build links in emails.

Glossary

BOM

Bill of Materials — a structured list of components (software or hardware) in a product or system.

CPE

Common Platform Enumeration — a structured naming scheme for IT systems, software and packages.

CVE

Common Vulnerabilities and Exposures — a publicly known cybersecurity vulnerability identifier (e.g. CVE-2021-44228).

CVSS

Common Vulnerability Scoring System — a numeric score (0.0–10.0) representing severity.

CWE

Common Weakness Enumeration — a category system for software weaknesses.

CycloneDX

An OWASP standard for Software Bill of Materials. OpenVOC uses CycloneDX 1.6 JSON.

EUVD

European Union Vulnerability Database — maintained by ENISA.

KEV

Known Exploited Vulnerabilities — a CISA catalog of vulnerabilities with confirmed active exploitation.

PURL

Package URL — a standard for identifying software packages across ecosystems (e.g. pkg:npm/lodash@4.17.21).

SBOM

Software Bill of Materials — a complete list of components, libraries and dependencies.

SPDX

Software Package Data Exchange — a standard for SBOM information including licenses (e.g. Apache-2.0, MIT).

STARTTLS

An email protocol extension upgrading plain-text to encrypted TLS. Used on port 587.

Action Token

A single-use 64-character hex secret embedded in email buttons. Consumed on click, expires after 30 days.

OpenVOC Documentation · 2026 · GitHub