Open Vulnerability and Assessment Language, OVAL, is an xml based format for defining vulnerabilities and tests for verifying or discovering vulnerabilities. Vendors like Red Hat, Suse, Oracle all publish OVAL definitions for free. By utilizing already available free definitions you can reduce costs, why pay for information that's already available for free?

OVAL definitions are machine processable xml files but you can view them online using VulnIQ OVAL viewer, just click the referenced item ids to expand referenced OVAL items.

OVAL definitions processed by VulnIQ engine are also used by VulnIQ security analyzer, Terzi, to run authenticated security scans on endpoints. VulnIQ engine APIs act as an OVAL data hub (besides many other data types). Customers running their own private VulnIQ instances can benefit from this architecture significantly as scanners on endpoints will not have a database that needs to be updated. They will always pull only the necessary data from the VulnIQ server.

When running your private instance, you can configure OVAL data sources as you like. For example if you want to monitor OVAL definitions from Red Hat, then you simply configure a Red Hat OVAL definitions data source and VulnIQ OVAL data processor takes care of the rest.