Discover & assess
Network, host, web-application (DAST), TLS, container, IaC and cloud-posture scanning across your authorised estate.

National Vulnerability Management Platform
OpenVMP continuously discovers, assesses and helps remediate vulnerabilities across participating government organisations’ systems — using a trusted open-source toolset, with every finding kept inside the Government’s own cloud tenant and jurisdiction.
Capability parity with Qualys VMDR and Tenable Nessus, assembled from mature open-source engines — without per-asset licence costs and without exporting sensitive data.
Network, host, web-application (DAST), TLS, container, IaC and cloud-posture scanning across your authorised estate.
Findings scored with CVSS, EPSS exploitation probability and the CISA Known-Exploited catalogue — transparent and auditable.
All scan data, findings and reports remain within the Government’s Azure tenant and jurisdiction. Nothing leaves.
A report is released only after proven domain ownership and a two-person control — recommend, then consent.
Submitting a scan request is easy. Obtaining the resulting report is deliberately rigorous — because a vulnerability report is sensitive information about a system’s weaknesses.
Self-register with MFA and submit the web properties you are authorised to have assessed.
Verify via same-domain email, a DNS TXT token or a well-known file — or submit business-registration evidence for review.
A Portal Administrator recommends release; a Super Administrator independently consents. Neither can act alone.
The released report is available only to the verified requester, scoped to the verified domain, with a full audit trail.