Methodology and Quality

We aggregate CVE data from three primary sources: NIST National Vulnerability Database (NVD) API 2.0, GitHub Security Advisory Database (GHSA), and OSV.dev. Records are classified as AI-relevant using a two-stage pipeline: first, a product/package name matcher against a dictionary of 35+ known AI/ML packages; second, a keyword-weighted scorer across 21 semantic buckets derived from the MITRE ATLAS taxonomy. Only records with classification confidence ≥ 0.5 are included in published metrics.

CISA Known Exploited Vulnerabilities (KEV) are cross-referenced to identify the exploited-in-the-wild subset. Monthly counts are computed from the published_at date. Severity uses CVSSv3 base score where available, falling back to CVSSv2.

Tool metadata is sourced from vendor documentation, GitHub repository data, and practitioner survey responses. Each tool entry includes: category classification against our 14-category AI security taxonomy, pricing model, deployment model, and license type. Star counts and contributor metrics are fetched directly from the GitHub API at enrichment time and are point-in-time snapshots.

Practitioner ratings (when available) represent aggregated responses from our survey cohort weighted by org size and role. Tools with fewer than 3 survey reviews are marked “insufficient data” and excluded from comparative rankings.