Security engineering time is valuable and finding additional security engineers to add to an R&D team can be difficult. There's no reason that an engineer's time should be spent doing the boring and tedious work of writing and formatting presentable findings reports after conducing penetration tests. In 2013, Vulnreport was envisioned by the Salesforce Product Security team as an automation and management platform for the 1500+ penetration tests and security audits we perform annually. To date, Vulnreport has saved hundreds, if not thousands, of security engineer-hours, resulting in a 'free' extra engineer for our team.
Vulnreport's original purpose was to automate and manage all the data involved with the AppExchange Security Review process and to provide useful metrics to help us understand what vulns we were finding. After talking with our partners, friends, and customers, we've released Vulnreport for free to the community. The open source version of Vulnreport has been abstracted from the ground up to let you hook your own integrations and modifications into the platform.
Vulnreport was open-sourced at Black Hat USA 2016's Arsenal and will remain available and regularly-updated for anyone in the security community to use and modify, contribute to, or just play around with.
As a Product Security team, we firmly believe that making the internet a safer place for everyone is part of our core business. We love working with smart people who are dedicated to that goal. If you're interested in making the internet and cloud computing more secure, and/or developing cool security tools, check out career opportunities at Salesforce Trust.
To speak directly about opportunities at Salesforce Product Security or on the larger Trust Team, or for questions about Vulnreport, contact tim.bach [at] salesforce [dot] com.