Meet Binary Risk Hunt: A Free Vulnerability Scanner With SBOM Generation

Back in 2021, we may have been overly optimistic, believing that known vulnerabilities could be resolved if only defenders had the right tools. We introduced the FwHunt community scanner, a product we made freely available to the security community to help mitigate recurring and repeatable software supply chain security failures. In 2022, we expanded on this effort with the launch of FwHunt.RUN, a web-based scanner focused on detecting vulnerabilities disclosed by the Binarly REsearch team.

These three blogs outline the evolution of FwHunt and FwHunt.RUN in chronological order:

• Detecting Firmware vulnerabilities at scale: Intel BSSA DFT case study
• The Firmware Supply-Chain Security is broken: Can we fix it?
• FwHunt The Next Chapter: Firmware Threat Detection at Scale

‍
Over the three years, FwHunt.RUN has detected over 38,754 vulnerabilities and successfully processed 12,362 firmware images. This means that, on average, each scan identified at least three known vulnerabilities, highlighting the severity of the problem in the firmware ecosystem. The data also emphasizes the lack of effective code-based detection solutions to verify security claims by vendors. We observed major device manufacturers and reference code developers (IBVs) have been relying on FwHunt.RUN for vulnerability validation and remediation. FwHunt.RUN has been a very successful project and it is now time to create a more comprehensive solution with even more ambitious ideas.

Today, we are excited to announce the next chapter in the transformation of FwHunt.RUN. With plans to expand beyond firmware scanning, the platform will now be named Binary Risk Hunt and will offer even more features -- completely free of charge -- to help uncover repeatable failures across the software supply chain. Binary Risk Hunt uses the most recent Binary Risk Intelligence technology to identify known vulnerabilities, firmware implants, scope the dependencies (including transitive dependencies) to generate comprehensive SBOM (Software Bill Of Materials). 
‍

Binary Risk Hunt also provides free access to APIs to scale the detections if you are registered on the service.

Key features now available at Binary Risk Hunt v1.0:

• Detection of known firmware vulnerabilities and malicious implants
• Identification of leaked cryptographic keys
• Dependency mapping, including transitive dependencies
• Generation of Software Bills of Materials (SBOM)
• API access for large-scale detection
  ‍

At Binarly, we pride ourselves on innovation and we’re excited to be the first company to offer comprehensive binary analysis tools for vulnerability detection and SBOM generation -- at no cost! The new Binary Risk Hunt v1.0 has already attracted notable partners during a brief testing phase, including the Linux Vendor Firmware Service (LVFS) and Blindspot Software. The figure below shows BlindSpot integrating the tool with their FirmwareCI pipeline.

This shows a strong industry adoption for fighting known vulnerabilities and providing transparency on the component's dependencies. During the testing period, Binary Risk Hunt has already uncovered more than 1576 critical vulnerabilities and generated 257 SBOMs.

The Binary Risk Hunt tool is extremely easy to use, and registration is not required to proceed with a single filescan or to download an SBOM report. A registered account is only The Binary Risk Hunt tool is extremely easy to use, and registration is not required to proceed with a single filescan or to download an SBOM report. A registered account is only necessary if a user needs API access. Try it now at https://risk.binarly.io