In cyber defense, threat intelligence is often a race against time. During major offensive security campaigns, such as China's annual "HV" (Hunter-Gatherer or HuWang) cyber exercises, the volume of newly disclosed vulnerabilities spikes dramatically. Security teams must rapidly identify, verify, and patch zero-day, 1-day, and n-day vulnerabilities before attackers can exploit them. Managing this influx of threat data requires structured, accessible repositories that security researchers can quickly parse and integrate into their defensive workflows.
Historically, much of this fast-moving vulnerability data was compiled in ad-hoc shared spreadsheets, such as Tencent Docs. While convenient for quick manual entry, collaborative cloud documents fail when security teams need to automate their defenses. They lack version control, make automated parsing difficult, and do not support structured queries. This operational bottleneck is what drives the transition toward structured, open-source vulnerability databases.
Enter hwpoc
The hwpoc project, curated by security group Adysec, is an open-source vulnerability intelligence database specifically focused on 0day, 1day, and nday vulnerabilities documented during offensive security campaigns. Originally hosted as a collaborative Tencent Document, the project has migrated to GitHub to provide a structured, programmatic alternative for security analysts.
At its core, hwpoc converts chaotic, real-time vulnerability reports into organized, machine-readable data. The project maintains a public web interface and utilizes Python to manage its data pipeline. By storing vulnerability information in a structured format, it allows security teams to query, filter, and ingest threat intelligence directly into their security information and event management (SIEM) systems or automated scanners.
Structured Data and Community Submissions
The most notable design choice in hwpoc is its reliance on TOML (Tom's Obvious, Minimal Language) as the source data format. Rather than relying on a traditional SQL database or unstructured markdown files, the project stores its raw vulnerability intelligence in TOML files. This format strikes a balance between human readability and machine parsability. Security tools can easily ingest TOML data, while human contributors can edit the files without dealing with the strict syntax overhead of JSON or the indentation sensitivity of YAML.
To keep the database current, the project leverages GitHub's native infrastructure for community contributions. Instead of using a proprietary submission portal, hwpoc encourages security researchers to submit new vulnerability data and proof-of-concept (PoC) details via GitHub Issues. This decentralized approach allows the broader security community to peer-review submissions, flag false positives, and update existing entries as new mitigation strategies emerge.
Furthermore, the project maintains a dedicated web portal that visualizes this data. For analysts who prefer a visual interface over raw TOML files, the web platform simplifies searching through the repository of historical and active threats compiled from various security exercises.
Practical Limitations
While hwpoc serves as a valuable repository, users should understand its specific scope and limitations. This is a curated database of threat intelligence and vulnerability details, not an automated exploitation framework or an active scanning tool. It does not feature built-in scanning engines.
Additionally, because the data originates from community submissions and fast-paced security exercises, the validation of proof-of-concept code relies heavily on community peer review. Organizations utilizing this data must verify the payloads in a controlled sandbox environment before deploying signatures or detection rules in production. The repository is primarily compiled in Chinese, reflecting its origins in local defensive exercises, which may require non-Chinese speaking teams to integrate translation APIs into their ingestion pipelines.
Accessing the Database
Deploying the web interface or parsing the raw data requires a basic Python environment. To run the web portal locally or use the generation scripts, you will need Python 3 installed along with a few standard dependencies to handle the TOML parsing and web rendering. The project is designed to be lightweight, avoiding heavy database dependencies by reading directly from the flat TOML files. For detailed setup instructions, dependency lists, and commands to run the local server, please consult the documentation in the repository.
This repository bridges the gap between chaotic real-time threat reporting and structured defensive operations. By moving away from fragile shared spreadsheets and embracing version-controlled TOML data, the project provides a clean, queryable foundation for threat hunters and security researchers. You can explore the web interface on the hwpoc website or examine the raw codebase and contribute vulnerability data directly through the hwpoc GitHub repository.
Comments