Vulnerator has been designed to assist U.S. Department of Defense (DoD) cybersecurity analysts with the daunting task of consolidating vulnerability data from the numerous sources that have been mandated:
– The Assured Compliance Assessment Solution (ACAS)
– Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs)
– Security Content Automation Protocol (SCAP) content parsed via ACAS or the SCAP Compliance Checker (SCC)1
– Windows Automated Security Scanning Program (WASSP)
With the move from SoftwareForge to the public domain, the integrity of the application has recently been thrust into the limelight. To ensure the application is secure, please note the following measures:
+ @amkuchta has personally had his hand in every line of code in the application – there is not a single file that has not been touched, modified, or updated by him
+ Only four GitHub users have the power to update the application. This means that although anybody can fork the repository and change their personal repo, only one of the four “gatekeepers” can authorize a change to the master branch
+ Each release is listed with both an MD5 and SHA256 checksum value – after you download the application, I encourage you to check the hash yourself to ensure that you downloaded what you expected
+ If the above measures are not enough, please feel free to create your own fork of the repository and compile the application yourself – this will allow you to do a manual code review to ensure that no malicious lines exist before creating an executable.
Extract the entire folder from the "*.zip" file you just downloaded
Launch the "Vulnerator.exe" file from within the folder you just extracted
++ The executable has hidden files that it depends on to run - they are shipped with the application. If Vulnerator does not find these files in the directory it is in, it will yell at you, which will make you yell at me... and I don't like being yelled at.