What is the oldest documented vulnerability? As far as OSVDB is aware, it’s a tie between UNIX-V6 su File Descriptor Exhaustion Local Privilege Escalation and Sendmail Unspecified Multiple Security Issues (yes, we’d love to know the details of the Sendmail issues back then!). These were documented on August 23, 1981, well over 24 years ago.
I’m sure there are vulnerabilities that were discovered and published before that. Does anyone have a copy of the old “Unix Bug List“? Some old t-file or email with an ancient vulnerability? Perhaps a changelog for a product as venerable as Sendmail? We want it, and we’ll reward you for it…
I’m not exactly sure what the reward will be yet. Maybe a gift certificate from one of your favorite shops, maybe some OSVDB swag, maybe something a little more silly, who knows. The rules of this contest:
- The information must be somewhat specific. Sendmail can get away with ‘multiple issues’ and remain vague due to the extensive history behind the program. We need to know some detail about the vulnerability. “BSD 0.83beta had a vulnerability” will not cut it.
- The vulnerability must be documented somewhere. No stories or second hand accounts will work. Changelogs, advisories, email or anything else that can help authenticate it is required.
- It must be a solid vulnerability. Concerns, weaknesses and best practices won’t work.
- Lastly, it must pass the general ‘BS’ test. If our cynical minds detect shenanigans, it doesn’t count.
That’s it! So, beat our two entries from August 23, 1981 and grab a minute of fame on this blog, our appreciation, bragging rights, and whatever reward we come up with. Mail submissions to moderators at osvdb dot org.
OK, OSVDB is not really closing. But based on my experience with running and participating in projects and sites, the second you announce a valuable resource is going away, people come out of the woodwork to volunteer or support the project to keep it going. When the Attrition.org Defacement Mirror closed, I received several dozen mails asking, begging, even demanding that the project keep running. So why didn’t these same people help out for the years prior to the announcement? If a project or resource is that helpful and that valuable to you, why not support them?
Without going into a full rant or debate on the nature of open source (OS), one of the most prevalent arguments for OS is that the community can help. For OS code, it is argued that anyone can look at the source code and find bugs.. but they rarely do. For OS projects, it is argued that volunteers work on projects for the love of it, not because it’s a source of money for food and shelter.. but they often don’t.
That said, OSVDB could substantially benefit from one or two developers before any such closing. Ideally we need a couple folks with solid PHP coding experience, PostgreSQL database manipulation, and the willingness / desire / time to work on the project. We can promise you fortune and fame! OK not really. What we can offer you:
- The ability to develop and enhance the project in a leadership role (we’ll even call you ‘god’ if you want)
- The chance to significantly change the vulnerability database landscape (yes, really)
- Work on a number of long term development projects (we have ideas, you have skills!)
- The freedom to work when and how you want, with little to no supervision (go wild)