Official · Government of Sri Lanka · Restricted Distribution
◆ Continuous Vulnerability Assessment & Remediation Initiative

Securing the nation’s digital estate, sovereign by design.

OpenVMP continuously discovers, assesses and helps remediate vulnerabilities across participating government organisations’ systems — using a trusted open-source toolset, with every finding kept inside the Government’s own cloud tenant and jurisdiction.

The scan starts immediately. To track its status and obtain the report, you’ll register or sign in with your email — no password needed.

A sovereign alternative to commercial suites

Capability parity with Qualys VMDR and Tenable Nessus, assembled from mature open-source engines — without per-asset licence costs and without exporting sensitive data.

🔍

Discover & assess

Network, host, web-application (DAST), TLS, container, IaC and cloud-posture scanning across your authorised estate.

🛡️

Prioritise by real risk

Findings scored with CVSS, EPSS exploitation probability and the CISA Known-Exploited catalogue — transparent and auditable.

🏛️

Data sovereignty

All scan data, findings and reports remain within the Government’s Azure tenant and jurisdiction. Nothing leaves.

Governed disclosure

A report is released only after proven domain ownership and a two-person control — recommend, then consent.

Low-friction to request. High-assurance to release.

Submitting a scan request is easy. Obtaining the resulting report is deliberately rigorous — because a vulnerability report is sensitive information about a system’s weaknesses.

Register & request

Self-register with MFA and submit the web properties you are authorised to have assessed.

Prove domain ownership

Verify via same-domain email, a DNS TXT token or a well-known file — or submit business-registration evidence for review.

Dual-control release

A Portal Administrator recommends release; a Super Administrator independently consents. Neither can act alone.

Retrieve securely

The released report is available only to the verified requester, scoped to the verified domain, with a full audit trail.