Short version: Vuln Signal does not require accounts. Saved items, notes, triage states, compare queues, saved searches, and recent searches are stored in your browser local storage unless you export or clear them.
Privacy And Data Use
Know what stays in your browser and what comes from live intelligence sources.
This page explains local workspace data, tool behavior, exports, live-derived views, and the limits of browser-side privacy guarantees.
Accounts
Nonethe portal does not require sign-inWorkspace
Localnotes and saved queues live in browser storageExports
User-ledfiles are created only when you export themLive data
Fetchedpublic intelligence is loaded from site APIs when availableLocal Workspace
Data stored by your browser
Saved items
Bookmarks for CVEs and advisories are stored locally so you can build a personal queue without an account.
Analyst notes
Notes and triage states are local to the browser profile. Do not paste secrets, credentials, customer data, or sensitive incident details into notes.
Saved and recent searches
Search filters and recent investigation paths are stored locally so you can reopen repeat workflows.
Compare queue
Selected CVEs for comparison are stored locally and can be cleared through normal browser storage controls.
Browser localStorage
Local storage is tied to the current browser profile or embedded WebView. Clearing site data, changing profiles, private browsing, or device policy can remove it.
Shared device caution
Anyone with access to the same browser profile may be able to see locally saved notes, searches, compare queues, and exported files.
WebView note: if Vuln Signal is opened inside a mobile app WebView, embedded browser, kiosk, or managed device container, local storage retention depends on that host app and device policy. Treat saved workspace data as local convenience data, not durable records.
Tools And Exports
How to treat pasted input and generated files
Prefer non-sensitive samples
Use sanitized snippets for tool inputs. Avoid credentials, private keys, customer records, and unredacted incident evidence.
Browser-only helpers
Formatting, parsing, extraction, draft detection, and many conversion helpers run in the browser using page scripts.
Lookup-style helpers
Network lookup helpers may depend on backend or browser network behavior. Treat submitted lookup values as data you are intentionally checking.
Exported files
JSON, CSV, Markdown, and workspace exports are downloaded to your device. Review them before sharing because they may include notes and local triage state.
Public Intelligence
What live-derived content can and cannot prove
Loaded data is not environment proof
Counts, queues, maps, and hubs summarize records loaded into the browser. They do not prove your organization is affected.
Telemetry claims need evidence
The portal does not prove active compromise. Use SIEM, EDR, identity, network, and application logs for incident claims.
Source confidence matters
Disputed, rejected, low-confidence, stale, or evolving records should be validated before they drive deadlines.
External systems remain authoritative
Use asset inventory, vendor advisories, change systems, and risk governance systems for official decisions and approvals.
Recommended next move: use Saved workspace export only after reviewing notes for sensitive data, then use Trust Review before sharing public-facing claims.