Skip to content

Notification Feature#

The following is an overview of the notification features in FutureVuls.

flowchart LR
    subgraph Events
        A["Immediate Notification<br>(Immediate / Actively Exploited Vulnerabilities)"]
        D["Immediate Notification (Email Only)<br>Malicious Packages"]
        B["Periodic Report<br>(Daily / Weekly)"]
        C["On-demand Notification<br>(Task Updates / Alert Tags / Errors / Topics / Critical Filter Changes)"]
    end

    subgraph Channels
        M["Email"]
        S["Slack App"]
        T["Teams"]
    end

    A --> M & S & T
    D --> M
    B --> M & S & T
    C --> M
    C -.-> S & T

※ The dashed lines in the diagram above indicate that, among on-demand notifications, only Alert Tags, Errors, Topics, and Critical Filter Changes are supported on Slack / Teams (Task Updates and Comments are email only).

The following table shows which notification channels support each event (○: supported, —: not supported).

Event Timing Email Slack App Teams
Immediate task detection Immediate
Detection of actively exploited vulnerabilities Immediate
Malicious package detection Immediate
Task update/comment On-demand
Special Alert Tag On-demand
Critical filter change On-demand
Scan error On-demand
Topic creation On-demand
Periodic Report Daily/Weekly

New Detection of Immediate Tasks#

For "existing tasks whose SSVC Priority has changed to Immediate, or tasks created as Immediate," an immediate notification is sent to all members of the group. This was implemented because daily notifications from the Daily Report were insufficient for vulnerabilities requiring an urgent response. When you receive this notification, please address the task promptly.

This is a critical notification that should not be missed, so it cannot be turned OFF. However, you can narrow the notification scope in the group settings. For details, please see Group Settings.

Report Content#

  • Link to the task with SSVC Priority Immediate
  • Name of the server where it was detected
  • Related packages
  • SSVC Decision Point

immediate

New Detection of Actively Exploited Vulnerabilities#

When a vulnerability is detected that has been newly determined to be "actively exploited" based on KEV information (CISA KEV / VulnCheck KEV / ENISA KEV), an immediate notification is sent. This is because vulnerabilities with confirmed exploitation carry a high risk of attack, and the once-a-day Daily Report may be too slow for a timely response. Notifications can be received via Email / Slack / Teams. Note that when an actively exploited vulnerability is found on a registered server, notifications are sent per task.

Notification Settings#

  • Email notifications: Select from "Change Notification Scope for Actively Exploited Vulnerability Notifications" in the Group Settings.
    • All group members: Notifies all users belonging to the group
    • Task assignees: Notifies only the assignees of the corresponding task
    • None: Disables the notification
  • Slack / Teams notifications: Toggle ON / OFF using the notification type toggles in each Webhook setting.

Default Notification Settings

For organizations subscribed to the PSIRT plan, this notification is enabled (ON) by default. For all other organizations, it is disabled (None) by default. Enable it from the group settings as needed.

Report Content#

  • Links to the corresponding vulnerabilities and tasks
  • Name of the server where it was detected
  • Related packages
  • Alert information (CISA KEV / VulnCheck KEV / ENISA KEV, etc.)

Actively exploited vulnerability notification

Immediate Notification for Malicious Packages#

When a malicious package is detected, an immediate notification is sent with the same level of urgency as an SSVC Immediate task. The presence of a malicious package is a critical risk that can lead directly to information leakage or system compromise, so we provide immediate notification to enable a swift response after detection.

Similar to the Immediate task notification, this notification cannot be turned OFF. However, you can narrow the notification scope in the Group Settings. You can choose one of the following:

  • All group members: Notifies all users belonging to the group.
  • Primary assignees: Notifies only the primary assignee of the corresponding supply chain risk.

Report Content#

  • Malicious package ID and a link to OSV
  • Name of the server where it was detected
  • Related packages
  • Link to the supply chain risk

malicious

Daily/Weekly Report Email#

A group-level report is sent via email.

You can stop or resume delivery on the "Profile Settings" screen. You can access the "Profile Settings" screen from the person icon in the upper right corner or from the "Unsubscribe here" link at the bottom of the Report email.

Type Timing Recipients
Daily Every morning All members belonging to the group
Weekly Every Monday morning All members belonging to the group

Report Content#

Tasks Past Their Due Date#

If there are tasks that have passed their set due date, they will be reported.

Tasks Past Their Scheduled Date#

If there are tasks that have passed their set scheduled date, they will be reported.

Vulnerabilities Set with Special Alert Tags#

If a vulnerability matching a Special Alert Tag is detected within 24 hours, it will be reported. A maximum of 10 items will be reported per Special Alert Tag of the same name.

Vulnerabilities Newly Registered in the Last 24 Hours#

The Daily Report includes the number of vulnerabilities from tasks newly registered within 24 hours of the email's sending time, broken down by the following categories:

  • Number of vulnerabilities corresponding to important unresolved issues
  • Number of vulnerabilities corresponding to other unresolved issues
  • Number of vulnerabilities per server

The count is based on "newly registered tasks". Note that this does not mean "vulnerabilities detected for the first time".

For example, the following case would be counted:

CVE-2021-0001 has been detected on a server in the past.
A scanner is newly installed on another server in the same group and a scan is performed. CVE-2021-0001 is detected (newly registered as a task).
The next day's Daily Report will count CVE-2021-0001.

The Weekly Report covers cumulative vulnerabilities from the Daily Reports, for tasks newly registered within one week of the email's sending time.

Severity of Detected Vulnerabilities per Server#

The aggregation rules for the "Severity of Detected Vulnerabilities per Server" in the Daily Report email are as follows:

  • The highest score (max) is selected from NVD / JVN / Red Hat / Microsoft CVSS v2 / CVSS v3 / CVSS v4 scores.
  • The max value is aggregated according to the following rules:

    Condition Severity
    9.0 <= max CRITICAL
    7.0 <= max < 9.0 HIGH
    4 <= max < 7.0 MEDIUM
    0.1 < max < 4 LOW
    0 == max NONE

Other#

A Daily Report will not be sent to a group if there are zero newly registered tasks within 24 hours and zero tasks past their due date. Also, tasks whose status is no longer new at the time of the Report notification are excluded from the count of newly registered tasks.

Slack & Teams Notifications#

By linking Slack or Teams to a group, you can receive notifications at the following times:

  • When a Daily Report / Weekly Report is sent
  • When a Group Topic / Organization Topic is created
  • When a scan error occurs
  • When a group's critical filter is changed
  • When a task with SSVC Priority Immediate is detected
  • When an actively exploited vulnerability is detected
  • When the following triage settings are changed:
    • Automatic vulnerability priority update
    • Task priority rule set update
    • Automatic Ignore Settings update
    • Special Alert Tag (also notified when newly added)

Notifications for each application can be toggled ON/OFF per notification type from each Webhook setting in the group settings.

For details on how to configure notifications for each application, please see below.

Daily Report Slack Notification#

The Slack webhook integration is scheduled to be deprecated. Please use the Slack App integration.

The Daily Report can also be sent to Slack via Webhook. For configuration instructions, please see External Integration Slack Notification Settings.

Note that a Daily Report will not be sent to groups with zero applicable items.

Email Notifications#

For details on the "Notification Email Address" feature, see here.

Timing Recipients Forwardable to Notification Email Address
Task Update (Bulk/Single) Primary assignee, Secondary assignee (cc: Executor) ⚪︎
Task Hide (Bulk/Single) Primary assignee, Secondary assignee (cc: Executor) ⚪︎
Task Comment Registration Primary assignee, Secondary assignee, Mentioned users (cc: Executor)
※Notifications are consolidated into one for bulk operations
⚪︎
Bulk Update Error Executor
Detection of Immediate Task All group members (excluding view-only users) or assignees of related tasks ⚪︎
Detection of Actively Exploited Vulnerabilities All group members (excluding view-only users) or assignees of related tasks ⚪︎
Daily/Weekly Report All group members (excluding view-only users) ⚪︎
Organization Topic Post All members of groups where the specified CVE is detected (excluding view-only users)
Group Topic Post All group members (excluding view-only users)
Special Alert Tag All members of groups where the specified CVE is detected (excluding view-only users)
User Addition The user being added
User Removal The user being removed
Removal from Organization The user being removed
Organization Deletion All organization members
Credit Card Registration The user who registered
Scanner Authentication Error All group members (excluding view-only users)
Scan Notification Assignees of related tasks
Scan Error All group members (excluding view-only users)
Malicious Package Detection All group members (excluding view-only users) or the primary assignee of the supply chain risk ⚪︎
EOL Detection Primary assignee ⚪︎
Supply Chain Risk Update (Bulk/Single) Primary assignee (cc: Executor) ⚪︎
Supply Chain Risk Comment Registration Primary assignee, Mentioned users (cc: Executor)
※Notifications are consolidated into one for bulk operations
⚪︎
Monthly Group EOL Notification Group admins, Group members (excluding view-only users) ⚪︎
Monthly Group Set EOL Notification Organization owners, CSIRT, Group set admins, Group set members (excluding view-only users) ⚪︎
Cloud One Error All group members (excluding view-only users)
Group Set Critical Filter Update All group set members (excluding view-only users)
Group Critical Filter Update All group members (excluding view-only users)
Automatic Vulnerability Priority Setting All organization members
Task Priority Rule Set Setting All organization members
Automatic Ignore Settings All organization members
SSVC Organization Trigger Update All organization members
SSVC Group Trigger Update All group members (excluding view-only users)
SSVC Organization Decision Table Update All organization members
SSVC Group Decision Table Update All group members (excluding view-only users)
SSVC Group Decision Point Update All group members (excluding view-only users)
Private CVE Registration to PSIRT Team All PSIRT team members
PSIRT Response Comment Registration Primary assignee, Secondary assignee, Mentioned users (cc: Executor)
PSIRT Response Update Primary assignee (cc: Executor)
Private CVE Update All members of the PSIRT team associated with the specified CVE
Organization Upgrade to Paid Plan Billing email address (cc: Executor)

Notification Recipient Settings

Emails to all members are generally sent using BCC.

Default Assignee#

If you set a Server > Default Assignee, an email notification will be sent when a new task is registered for that server.

Notification Email Address#

By adding an email address to Group Settings > Notifications > Notification Email Address, you can forward notifications to email addresses not registered as FutureVuls users. This is useful for sharing information with an entire team by registering a mailing list, for example.

Currently, it supports the following notification features. You can select which notifications to forward, allowing you to share only the necessary information.

Notification Email Address

Supply Chain Risk Notifications#

Monthly Group EOL Notification

You can receive notifications about supply chain risks (EOL, malicious packages) via email as a monthly report (Monthly EOL Report) and as on-demand notifications.

Notification Method#

Currently, supply chain risk notifications are supported only via email. Slack and Teams notifications are not supported.

You can stop or resume the delivery of the Monthly EOL Report on the "Profile Settings" screen's "EOL Monthly Report Email Delivery". You can access the "Profile Settings" screen from the person icon in the upper right corner.

Notification Types#

Notification Type Frequency Recipients
Monthly Group EOL Notification Monthly (once a month) Group admins, Group members (excluding view-only users)
Monthly Group Set EOL Notification Monthly (once a month) Organization owners, CSIRT, Group set admins, Group set members (excluding view-only users)
Notification on EOL Detection On-demand (upon new EOL detection) Primary assignee
Notification on Malicious Package Detection On-demand (upon malicious package detection) All group members (excluding view-only users) or the primary assignee of the supply chain risk
Notification on Update On-demand (upon supply chain risk update) Primary assignee (cc: Executor)

About Private EOL Notifications

Private EOL information registered at the organization level is also detected as a supply chain risk in the same way as regular EOLs, and is covered by the EOL notifications above (monthly report, EOL detection, and update notifications).

Monthly Group EOL Notification#

A report on the EOL response status is sent once a month to group admins and group members (not sent to users with view-only permissions).

Last Month's EOL Summary#

The following information is reported:

  • New EOL List: EOLs first detected within the last month.
  • Updated Supply Chain Risks List: Supply chain risks updated within the last month.

Clicking the number for each item will take you to the supply chain risk list screen filtered by the corresponding condition.

EOL Response Progress within the Group#

You can check the overall status of your group's EOL response. Up to three "within X days" parameters can be set at the organization level (default is 365 days).

This report aggregates progress based on the following status definitions:

  • Incomplete Statuses: NEW, INVESTIGATING, ONGOING - Supply chain risks that have not been resolved.
  • Completed Statuses: NOT_AFFECTED, WORKAROUND, RISK_ACCEPTED, CLOSED - Supply chain risks that have been resolved.
Item Content
Completion Rate Percentage of supply chain risks with a completed status.
Total Count All supply chain risks with an EOL date within the specified period.
Past Due Date Incomplete supply chain risks that have passed their due date.
Due Date Not Set Incomplete supply chain risks with no due date set.
Past Scheduled Date Incomplete supply chain risks that have passed their scheduled date.
Scheduled Date Not Set Incomplete supply chain risks with no scheduled date set.
High Risk (Unresolved) Supply chain risks with Human Impact=High or Human Impact=Very High, and Exposure=Open, and Status=NEW.
Within {parameter} days (Incomplete) Incomplete supply chain risks with an EOL date within the specified period (parameter is configurable).

Each number is clickable and will take you to the supply chain risk list screen filtered by the corresponding condition.

EOL Response Progress by Software#

You can check the EOL response status for software and OS listed on endoflife.date. They are sorted by the nearest EOL date.

Item Content
Software Software name and version
EOL EOL date
NEW Number of newly detected risks
INVESTIGATING Number of risks under investigation
ONGOING Number of risks being addressed
Resolved Number of completed risks

Monthly Group Set EOL Notification#

Once a month, a cross-sectional report on the EOL response status of each subordinate group is sent to organization owners, CSIRT, group set admins, and group set members (not sent to users with view-only permissions).

Last Month's EOL Summary#

The same information as the group notification is reported. The link will lead to the group set's supply chain risk list screen.

EOL Response Progress within the Group Set#

For security personnel, this provides an overview of the EOL response status for each group in the group set. It is sorted in descending order of completion rate.

The items included in the report are the same as in EOL Response Progress within the Group. The aggregated results are displayed per group.

Clicking on a group name or any number will take you to that group's supply chain risk list screen.

EOL Response Progress by Software#

You can check the EOL status for software and OS listed on endoflife.date across the entire group set.

Notification on New Detection#

When a new supply chain risk (EOL) is detected, the server's "Default Assignee" is notified immediately. If a default assignee is set for the server, that user is automatically set as the assignee when the risk is created, and a notification is sent. If not set, no notification is sent. Note that if multiple risks are detected in a single scan, they will be consolidated into one email notification.

Notification on Update#

When a supply chain risk is updated, the primary assignee is notified (cc: the user who made the update). The email includes the updater's name, the changes made, and a link to the supply chain risk details.