disclosure-lag

Dashboard tracking the gap between when OSS vulnerabilities are silently fixed in code and when CVEs are publicly disclosed. Security teams use this to see which dependencies get stealth-fixed and how long the exposure window lasts.

What it does

• Ingests vulnerability records from OSV.dev for popular packages across npm, PyPI, Go, and crates.io
• Resolves fix commit timestamps via GitHub REST API
• Cross-references CVE publication dates via NVD API 2.0
• Computes the "lag" — hours between when a fix commit landed and when the vulnerability was publicly disclosed
• Positive lag = stealth fix (fix existed before disclosure — the dangerous case)
• Displays all data in a real-time dashboard with ecosystem comparison charts and trend lines

Data Sources

| Source | URL | Refresh Interval | Auth |
|--------|-----|-------------------|------|
| OSV.dev API | https://api.osv.dev/v1/querybatch + https://api.osv.dev/v1/vulns/{id} | Every 30 minutes | None required |
| GitHub REST API | https://api.github.com/repos/{owner}/{repo}/commits/{sha} | Every 10 minutes (batch of 10) | Optional GITHUB_TOKEN for higher rate limits |
| NVD API 2.0 | https://services.nvd.nist.gov/rest/json/cves/2.0?cveId={id} | Every 2 hours (batch of 8) | Optional NVD_API_KEY for higher rate limits |

API Endpoints

| Method | Path | Description |
|--------|------|-------------|
| GET | /disclosure-lag/health | Health check, returns {"ok":true} |
| GET | /disclosure-lag/api/stats | Aggregate stats: total vulns, median/avg/max lag, trend data |
| GET | /disclosure-lag/api/vulns | Paginated vuln list. Query params: ecosystem, min_lag_hours, page, limit |
| GET | /disclosure-lag/api/vulns/:id | Single vulnerability detail |
| GET | /disclosure-lag/api/ecosystems | Per-ecosystem summary with median lag |
| GET | /disclosure-lag/card/:id | Shareable HTML card for a vulnerability with OG meta tags |
| GET | /disclosure-lag/ | Dashboard SPA |

Run Locally

# Install dependencies
npm install

# Optional: set tokens for higher API rate limits
export GITHUB_TOKEN=your_token
export NVD_API_KEY=your_key

# Start server (default port 4749)
npm start

# Or with custom port
PORT=4749 node server.js
```

The server starts fetching data from OSV.dev, GitHub, and NVD immediately on boot. Vulnerability data accumulates over time as cron jobs run. Initial data appears within ~30 seconds of startup.

Stack

• Node.js >= 22, Express 5, better-sqlite3 (WAL mode)
• node-cron for scheduled data fetching
• Chart.js (CDN) for frontend charts
• Vanilla JS SPA, dark theme