Centralized findings ledger for the NuClide OSINT ecosystem.
ECS-normalized, lifecycle-tracked, append-only SQLite store. All NuClide tools (VisorGoose, aimap, ollama-recon) write events here. Every finding moves through a defined lifecycle: open → disclosed → acknowledged → remediated → verified.
Inspired by the discipline of CISA's Logging Made Easy — repurposed for AI infrastructure OSINT tracking.
Claude Code can query VisorLog, triage findings, and generate disclosure artifacts directly from the database.
Run `visorlog query --severity critical --status open` and triage the results. For each finding, identify whether it falls under a responsible disclosure safe harbor, draft a one-paragraph impact statement, and suggest the correct disclosure channel.
I have a visorlog.db with 168 nodes. Run `visorlog stats` and `visorlog alert`. For any stale-critical findings (open > 7 days), draft escalation notes and identify the correct CERT contact for each org_country.
The NuClide ecosystem generates findings across multiple tools and sectors. Without a shared store:
- Findings live in fragmented per-sector JSON state files
- Disclosure status tracked manually in SESSION.md
- No unified view across government / university / healthcare findings
- No alert when a CRITICAL finding sits open for a week
VisorLog fixes all of that.
go install github.com/Nicholas-Kloster/visorlog@latest# From VisorGoose state
visorlog ingest --from visorgoose-state.json --format visorgoose
# From ollama-recon.py state
visorlog ingest --from ollama-gov-state.json --format ollama-recon
# Stream from VisorGoose scan
visorgoose scan | visorlog ingest
# NDJSON (universal)
visorlog ingest --from findings.ndjsonvisorlog status=== OPEN FINDINGS ===
critical ██ 2
medium ██ 2
=== BY SECTOR / SEVERITY / STATUS ===
SECTOR SEVERITY STATUS COUNT
government critical open 2
government medium open 1
visorlog query --tag TAKEOVER --status open
visorlog query --sector government --severity critical
visorlog query --country ID --jsonvisorlog update 4 --status disclosed --note "emailed kominfo@jatengprov.go.id"
visorlog update 4 --status acknowledged
visorlog update 4 --status remediatedvisorlog alert[new-takeover] TAKEOVER open: 103.107.245.11 (sijoli-11-245-107.jatengprov.go.id) [government]
[stale-critical] STALE critical: 16.64.116.67 open for >7 days — disclose?
Built-in rules: new-takeover, new-critical, stale-critical (>7d), stale-high (>14d)
visorlog add --ip 103.107.245.11 \
--hostname sijoli-11-245-107.jatengprov.go.id \
--org "Dinas Kominfo Jawa Tengah" \
--country ID --sector government --tld .go.id \
--severity critical --tags TAKEOVER,CLOUD,RAG \
--source manualvisorlog report --out open-findings.md
visorlog report --status "" --out all-findings.mdopen → disclosed → acknowledged → remediated → verified → archived
Every status transition is timestamped and appended as a note. Records are never mutated — the full history is preserved.
| Field | Description |
|---|---|
event.category |
discovery, disclosure, remediation, regression |
event.severity |
critical, high, medium, low, info |
host.ip / host.hostname |
Target identity |
org.name / org.country |
Organization |
nuclide.sector |
government, university, healthcare, commercial, isp |
nuclide.tags |
TAKEOVER, CVE-2025-63389, CLOUD, RAG, DISTILLED |
nuclide.source |
Which tool discovered it |
lifecycle.status |
Current stage |
vuln.ids |
CVE IDs |
VisorGoose ──┐
aimap ──┼──► visorlog ingest ──► visorlog.db ──► query / alert / report
ollama-recon──┘
- VisorGoose — multi-source AI service discovery
- aimap — deep AI service fingerprinter
- AI-LLM-Infrastructure-OSINT — case study repository
NuClide Research · nuclide-research.com
Maintained by Nicholas Michael Kloster as part of NuClide — independent AI infrastructure security research.
CISA disclosures: CVE-2025-4364 · ICSA-25-140-11