Posted by jkouns
Tue, 27 Jul 2010 23:33:00 GMT
The Open Security Foundation, providing independent, accurate, detailed, current, and unbiased security information to professionals around the world, announced today that it has launched Cloutage (cloutage.org) that will bring enhanced visibility and transparency to Cloud security. The name Cloutage comes from a play on two words, Cloud and Outage, that combine to describe what the new website offers: a destination for organizations to learn about cloud security issues as well as a complete list of any problems around the globe among cloud service providers.
The new website is aimed at empowering organizations by providing cloud security knowledge and resources so that they may properly assess information security risks related to the cloud. Cloutage documents known and reported incidents with cloud services while also providing a one-stop shop for cloud security news and resources.
“When speaking with individuals about the cloud, to this point it has been a very emotional conversation. People either love or hate the cloud,” says Jake Kouns, Chairman, Open Security Foundation. “Our goal with Cloutage is to bring grounded data and facts to the conversation so we can have more meaningful discussions about the risks and how to improve cloud security controls.”
Cloutage captures data about incidents affecting cloud services in several forms including vulnerabilities that affect the confidentiality and integrity of customer data, automatic update failures, data loss, hacks and outages that impact service availability. Data is acquired from verifiable media resources and is also open for community participation based on anonymous user submissions. Cloud solution providers are listed on the website and the community can provide comments and ratings based on their experiences. Cloutage also features an extensive news service, mailing lists and links to organizations focused on the secure advancement of cloud computing.
“The nebulous world of cloud computing and the security concerns associated with it confuses many people, even IT and security professionals," says Patrick McDonald, a volunteer on the Cloutage project. "We want a clearinghouse of information that provides a clear picture of the cloud security issues."
Posted in OSVDB News, General Security | no comments
Posted by lyger
Fri, 02 Apr 2010 04:39:00 GMT
Back in January, I issued a challenge to see how many new vulnerabilities would be entered into OSVDB over a three-month period. January went by, then February, and then March came and went. For anyone out there keeping score, here's March's totals:
2010-03-01: 32 vulns pushed, 164 vulns updated
2010-03-02: 27 vulns pushed, 149 vulns updated
2010-03-03: 9 vulns pushed, 73 vulns updated
2010-03-04: 53 vulns pushed, 207 vulns updated
2010-03-05: 17 vulns pushed, 94 vulns updated
2010-03-06: 9 vulns pushed, 56 vulns updated
2010-03-07: 4 vulns pushed, 103 vulns updated
2010-03-08: 25 vulns pushed, 125 vulns updated
2010-03-09: 42 vulns pushed, 157 vulns updated
2010-03-10: 24 vulns pushed, 243 vulns updated
2010-03-11: 7 vulns pushed, 64 vulns updated
2010-03-12: 52 vulns pushed, 148 vulns updated
2010-03-13: 4 vulns pushed, 15 vulns updated
2010-03-14: 2 vulns pushed, 43 vulns updated
2010-03-15: 18 vulns pushed, 136 vulns updated
2010-03-16: 77 vulns pushed, 232 vulns updated
2010-03-17: 31 vulns pushed, 277 vulns updated
2010-03-18: 48 vulns pushed, 458 vulns updated
2010-03-19: 3 vulns pushed, 224 vulns updated
2010-03-20: 25 vulns pushed, 100 vulns updated
2010-03-21: 3 vulns pushed, 222 vulns updated
2010-03-22: 18 vulns pushed, 101 vulns updated
2010-03-23: 0 vulns pushed, 60 vulns updated
2010-03-24: 5 vulns pushed, 20 vulns updated
2010-03-25: 39 vulns pushed, 162 vulns updated
2010-03-26: 38 vulns pushed, 245 vulns updated
2010-03-27: 40 vulns pushed, 95 vulns updated
2010-03-28: 18 vulns pushed, 41 vulns updated
2010-03-29: 14 vulns pushed, 329 vulns updated
2010-03-30: 46 vulns pushed, 413 vulns updated
2010-03-31: 44 vulns pushed, 341 vulns updated
2010-04-01: 63 vulns pushed, 397 vulns updated
Yes, we missed a day on the 23rd, but there's a good excuse there. It was the following Tuesday after St. Patrick's Day, which is usually around the time my hangover wears off and I realized that food and sleep are "good things", so I took a day off. I think. If you have any evidence that I was conscious on March 23, mail me. Just curious.
Anyway, there you go. Over the course of the challenge, we promoted 2,060 new vulnerabilities into OSVDB, and as promised, I'll be donating $1,030.00 to the Open Security Foundation. Extra special thanks go to all of the moderators and manglers who made it happen; you have no idea how much time and effort they all spent to get these vulnerabilities into the database. Now that the challenge is over, anybody out there who would like to match the challenge, even on a fractional basis (such as 25% of the amount donated), please contact us here and we'll provide details.
no comments
Posted by jericho
Mon, 08 Mar 2010 22:11:00 GMT
In 2002, iDefense started their Vulnerability Contributor Program. The VCP was created to solicit vulnerability information from the security community and pay researchers for the information. Paying up to US$15,000 for a vulnerability or exploit, iDefense proved there was a significant market for such information after years of debate. The VCP also served as a stark reminder that researchers do not have an obligation to report vulnerabilities to vendors, that doing so is a courtesy.
The VCP pays for "actionable research", meaning exploits in prominent software (e.g., Microsoft, Oracle) and infrastructure devices (e.g., Cisco). With the information in hand, iDefense in turn leverages researcher's time by notifying their customers as an early warning system while handling the responsible disclosure of the information to the vendor. This activity can save a world of time for researchers who are long since tired of the headache that often comes with disclosure.
The list of vulnerabilities disclosed by iDefense is impressive. They attribute the large number of advisories to "250 security researchers worldwide".
In the past few months, an OSF employee (Nepen) has begun to add creditee information for many vulnerabilities in prominent software. This has resulted in creditee information being added for all of the iDefense vulnerabilities. Using OSVDB, we can now look at their advisories in a new light.
iDefense employees have released 131 advisories, credited to 11 unique researchers and "iDefense Labs". The VCP program has released 479 advisories, credited to 78 unique researchers and "anonymous". If we assume the 250 researcher number is an estimate and includes both iDefense and VCP, then 89 researchers are distinct and public. That means the "anonymous" submissions make up approximately 161 unique people and cover 326 advisories out of the 479 released.
Using OSVDB's new creditee system, we can see a neat timeline of the advisories as related to both iDefense and their VCP:
iDefense VCP (79 researchers, 479 advisories): http://osvdb.org/affiliations/1139-idefense-labs-vcp
iDefense Labs (12 researchers, 131 advisories): http://osvdb.org/affiliations/1091-idefense-labs
This is one of many neat ways to use the enhanced creditee system. Over time, as more information is added to the database, we can begin to look at other researchers and organizations.
Posted in Vulnerability Disclosure, Vulnerability Market/Value | Tags creditee, iDefense, VCP | no comments
Posted by lyger
Mon, 01 Mar 2010 13:36:00 GMT
Back in early January, I
issued a challenge to donate to OSF's Winter Fundraiser for every new vulnerability pushed into OSVDB. Two of the three months have come and gone, and even though
January was a little more productive than February in terms of new vulnerabilities, the moderation team is still making good progress:
2010-02-01: 13 vulns pushed, 133 vulns updated
2010-02-02: 31 vulns pushed, 79 vulns updated
2010-02-03: 25 vulns pushed, 145 vulns updated
2010-02-04: 21 vulns pushed, 31 vulns updated
2010-02-05: 25 vulns pushed, 153 vulns updated
2010-02-06: 8 vulns pushed, 76 vulns updated
2010-02-07: 3 vulns pushed, 278 vulns updated
2010-02-08: 27 vulns pushed, 64 vulns updated
2010-02-09: 47 vulns pushed, 159 vulns updated
2010-02-10: 37 vulns pushed, 160 vulns updated
2010-02-11: 16 vulns pushed, 59 vulns updated
2010-02-12: 27 vulns pushed, 128 vulns updated
2010-02-13: 10 vulns pushed, 51 vulns updated
2010-02-14: 4 vulns pushed, 112 vulns updated
2010-02-15: 12 vulns pushed, 81 vulns updated
2010-02-16: 23 vulns pushed, 181 vulns updated
2010-02-17: 28 vulns pushed, 235 vulns updated
2010-02-18: 25 vulns pushed, 119 vulns updated
2010-02-19: 43 vulns pushed, 261 vulns updated
2010-02-20: 11 vulns pushed, 126 vulns updated
2010-02-21: 2 vulns pushed, 34 vulns updated
2010-02-22: 3 vulns pushed, 64 vulns updated
2010-02-23: 41 vulns pushed, 221 vulns updated
2010-02-24: 37 vulns pushed, 112 vulns updated
2010-02-25: 15 vulns pushed, 138 vulns updated
2010-02-26: 17 vulns pushed, 146 vulns updated
2010-02-27: 9 vulns pushed, 17 vulns updated
2010-02-28: 8 vulns pushed, 24 vulns updated
With 568 new vulnerabilities pushed in February, we're now up to 1,223 new entries for 2010; personally, I'd like to see that number hit at least 2,000 by the end of March (3,000 may be out of reach, but never say never), but that will depend on the time and efforts of our moderation team and the amount of vulnerabilities uncovered by our multiple reference sources. Please remember that I will donate $0.50 to OSF for every new vulnerability pushed into the database through April 1 (and no, there will not be an April Fools announcement saying that the challenge has been called off), and we're hoping to obtain some matching offers to help offset the costs of maintaining the database. A special "thank you" goes to all parties who have offered to match the challenge so far, and we hope others who find OSVDB to be a valuable resource can jump in and help us out as well.
31 more days for the challenge... and away... we... go.
Posted in Vulnerability Statistics, OSVDB News | no comments
Posted by jericho
Fri, 19 Feb 2010 06:06:00 GMT
Over the years, security practitioners have been interested in specific metrics related to vulnerability timelines. Certain dates, if present, can be used to extrapolate additional information related to the timeline and vulnerability handling.
Using Vendor Informed Date and Vendor Solution Date, we can extrapolate "time to patch". This is the amount of time between the vendor learning about a vulnerability, and providing a solution (i.e., patch, workaround, upgrade).
Using Exploit Publish Date and Vendor Solution Date, we can extrapolate "time of exposure". This is the amount of time between the publishing of exploit code and the vendor providing a solution. For these vulnerabilities, there is no doubt that an attacker could exploit the vulnerability and a target has no practical solution. While any vulnerability that has been disclosed may be exploited, lack of details may make it considerably difficult or raise the bar so that only dedicated attackers could use the information. This lack of information means the time of exposure is there, but the circumstances for exploitation are questionable.
In the past, eEye prominently displayed the vendor's time to patch on their advisories. eEye also began tracking "zero day threats" that also highlighted "days of exposure". The Zero Day Initiative (ZDI) tracks time to patch for upcoming advisories as well. Unfortunately for the industry, the time to patch information was tracked just for eEye and ZDI advisories.
OSVDB has made changes to better track both time to patch and time of exposure. First, the display of the related dates has been re-worked to present a more distinct timeline, with extrapolated times below it (e.g., http://osvdb.org/22582). Second, you can now quickly browse the worst offenders:
Time of Exposure - http://osvdb.org/browse/time_of_exposure
Time to Patch - http://osvdb.org/browse/time_to_patch
Know of any offenders that aren't on these lists? Feel free to mangle the entry and add missing dates, or simply contact us with a CVE identifier, OSVDB ID or information about the vulnerability.
Posted in OSVDB News, Vulnerability Databases | no comments
Posted by jkouns
Fri, 12 Feb 2010 21:24:00 GMT
The Open Security Foundation (OSF) is an internationally recognized 501(c)(3) non-profit public organization seeking senior leaders capable of providing broad-based perspective on information security, business management and fundraising to volunteer for an Advisory Board. The Advisory Board will provide insight and guidance when developing future plans, an open forum for reviewing community feedback and a broader view when prioritizing potential new services.
OSF was founded in 2004 and has been operated by information security enthusiasts since its inception. We exist to empower all types of organizations by providing knowledge and resources so that they may properly protect, detect and mitigate information security risks. We believe that security information and services should be easily accessible for all who have the need for such information. We promote open collaboration between companies and individuals, provide unbiased information to uphold educated decision-making, and attempt to eliminate the need for redundant works while striving to improve organizations' overall security posture.
Prospective Advisory Board members should show an ability and willingness to:
-Participate actively in all meetings of the Advisory Board (2 times per year and as otherwise needed)
-Represent OSF and its mission to organizations and the general public
-Review and provide feedback for proposed OSF plans
-Chair and serve as members of committees
-Assist in locating and developing funding sources for OSF
Name:
Phone Number:
Email Address:
Area of Expertise:
The call for Advisory Board volunteers will be open until March 19, 2010. We will review all submissions by March 31, 2010.
Posted in OSVDB News | no comments
Posted by jkouns
Sat, 06 Feb 2010 06:27:00 GMT
The Open Security Foundation (OSF) has grown from a humble beginning in 2004 to an internationally recognized 501(c)(3) non-profit public organization. Through the work of a small team of dedicated information security enthusiasts, the Open Source Vulnerability Database (OSVDB) and DataLossDB projects have provided organizations of all sizes with the knowledge and resources to accurately detect, protect and mitigate information security risks. OSF research is often cited throughout the security industry and the organization was honored by being named winner of the SC Magazine's Editors Choice award for 2009.
To ensure the highest quality information that has become the trademark of OSF, a tremendous amount of effort is expended on a daily basis by OSF volunteers to process an ever increasing amount of data loss and vulnerability reports. Over the years, many volunteers have been involved in the projects, but for the most part the the heavy lifting has been the work of only a few very dedicated volunteers. The "open source" approach to resourcing the projects has been successful to date but is now proving to be an unsustainable model. With long-term sustainability and increased services as our goal, we have initiated a comprehensive review of our current operations, our existing approach to project funding and the creation of potential new services for the security community.
As a start, we plan to do a better job of sharing our view on the state of the information security industry and creating a mechanism to gain community feedback to better establish our vision for the OSVDB and DataLossDB projects.
To that end I want to take a moment to share our initial plans for 2010.
The OSF officers and project leads have been dedicated to the daily operations required to make OSVDB and DataLossDB the recognized leader in vulnerability and data loss tracking. This focused dedication has left little time to take the pulse of the industry as it relates to our projects or to establish a clear long-term vision for the projects. To address this need, OSF will be creating an Advisory Board. The board will consist of three to five senior leaders capable of providing broad based perspective on information security, business management and fundraising. It is our hope that this will provide a sounding board when developing future plans, an open forum when reviewing community feedback and a broader view when prioritizing potential new services. Additional information along with an official call for Advisory Board nominations is planned for 2/12/2010.
Direct unfiltered feedback from both the security community as well as the organizations that benefit from our projects is critical. Over the next few weeks, we plan to post a public survey asking for feedback that will help shape our long-term vision and establish our near-term plans for OSVDB and DataLossDB. Those of you who value the work that the OSF provides and/or consider yourselves friends and supporters of OSF are asked to help spread the word to maximize the feedback provided.
Feedback from the survey will be the foundation for the OSF vision and 2010 plan. Our goal is to present a draft of both the vision and the 2010 plan to the newly formed Advisory Board by mid-April 2010. Once finalized, both documents will be shared with the information security community.
OSF has been recognized for providing a critical service to the information security community but our potential is much greater. We look forward to hearing your ideas on how OSF can further improve the state of security while building a stronger organization to deliver even higher quality research and additional services.
Chairman, Open Security Foundation
Posted in OSVDB News | no comments
Posted by lyger
Mon, 01 Feb 2010 05:19:00 GMT
Well, it's been almost a month since we issued our original challenge for the "OSVDB Winter 2010 Fundraising Goal". As mentioned in our initial post, we're pretty transparent about how much work we do on a daily/weekly/monthly basis. Thanks to Twitter, pico, and my /home/lyger/wtf-ever folder, we present January's results:
2010-01-01: 23 vulns pushed, 56 vulns updated
2010-01-02: 21 vulns pushed, 194 vulns updated
2010-01-03: 11 vulns pushed, 143 vulns updated
2010-01-04: 25 vulns pushed, 104 vulns updated
2010-01-05: 50 vulns pushed, 184 vulns updated
2010-01-06: 13 vulns pushed, 94 vulns updated
2010-01-07: 15 vulns pushed, 78 vulns updated
2010-01-08: 33 vulns pushed, 162 vulns updated
2010-01-09: 1 vulns pushed, 127 vulns updated
2010-01-10: 17 vulns pushed, 208 vulns updated
2010-01-11: 30 vulns pushed, 325 vulns updated
2010-01-12: 32 vulns pushed, 385 vulns updated
2010-01-13: 21 vulns pushed, 119 vulns updated
2010-01-14: 18 vulns pushed, 79 vulns updated
2010-01-15: 26 vulns pushed, 199 vulns updated
2010-01-16: 65 vulns pushed, 102 vulns updated
2010-01-17: 15 vulns pushed, 75 vulns updated
2010-01-18: 21 vulns pushed, 130 vulns updated
2010-01-19: 20 vulns pushed, 48 vulns updated
2010-01-20: 22 vulns pushed, 142 vulns updated
2010-01-21: 18 vulns pushed, 83 vulns updated
2010-01-22: 16 vulns pushed, 86 vulns updated
2010-01-23: 16 vulns pushed, 27 vulns updated
2010-01-24: 6 vulns pushed, 30 vulns updated
2010-01-25: 25 vulns pushed, 114 vulns updated
2010-01-26: 8 vulns pushed, 70 vulns updated
2010-01-27: 16 vulns pushed, 90 vulns updated
2010-01-28: 26 vulns pushed, 87 vulns updated
2010-01-29: 20 vulns pushed, 28 vulns updated
2010-01-30: 14 vulns pushed, 52 vulns updated
2010-01-31: 11 vulns pushed, 40 vulns updated
As of early morning February 1, we have pushed 655 new vulnerabilities into the database since the beginning of 2010. Please take a moment to look at the dates listed above; if you find a day missing from January, please let us know. Yes, we laid off on the 9th (Jericho made the save with OSVDB 61571 : EcShop /admin/integrate.php Multiple Parameter Arbitrary Command Execution), but the honest fact is that we generally work on OSVDB *every day* in some form. Some days are slower than others, sure... we still have families, friends, and other hobbies (believe it or not). Actually, the number of OSVDB moderators who own a Wii with the Fit Plus package is scary, but I digress.
So, about the challenge we presented... I'm still willing to put up $0.50 HARD U.S. DOLLARS for every new vulnerability we push from January 1, 2010 through April 1, 2010. I pushed it through April 1 and not just March 31 because a) April 1 is a much cooler day to end a contest, 2) February 29 is a special day and should never be left out of any year, so an extra day was warranted, and d) that's the period that Dave set up the end of the fundraising goal for, and we try to keep him happy so things don't randomly 500 when we do something like enter weird support tickets..
Any company or person who still wants to match my offer, please feel free to do so. Even though we're only at about 2/3 of our usual push rate, we're not intentionally laying back to keep the new vulnerability count lower. Coming off a holiday season takes time to get back in the groove, not only for us but our reference providers as well. Please mail us at our moderators@ address if you want to contribute.
Posted in OSVDB News, Vulnerability Databases | no comments
Posted by jericho
Sun, 24 Jan 2010 11:35:00 GMT
Perhaps it is the fine tequila this evening, but I really don't get how our industry can latch on to the recent 'Aurora' incident and try to take Microsoft to task about it. The amount of news on this has been overwhelming, and I will try to very roughly summarize:
News surfaces Google, Adobe and 30+ companies hit by "0-day" attack
Google uses this for political overtones
Originally thought to be Adobe 0-day, revealed it was MSIE 0-day
Jan 14, confirmed it is MSIE vuln, shortly after dubbed "aurora"
Jan 21, uproar over MS knowing about the vuln since Sept
Now, here is where we get to the whole forest, trees and some analogy about eyesight. Oh, I'll warn (and surprise) you in advance, I am giving Microsoft the benefit of the doubt here (well, for half the blog post) and throwing this back at journalists and the security community instead. Let's look at this from a different angle.
The big issue that is newsworthy is that Microsoft knew of this vulnerability in September, and didn't issue a patch until late January. What is not clear, is if Microsoft knew it was being exploited. The wording of the Wired article doesn't make it clear: "aware months ago of a critical security vulnerability well before hackers exploited it to breach Google, Adobe and other large U.S. companies" and "Microsoft confirmed it learned of the so-called 'zero-day' flaw months ago". Errr, nice wording. Microsoft was aware of the vulnerability (technically), before hackers exploited it, but doesn't specifically say if they KNEW hackers were exploiting it. Microsoft learned of the "0-day" months ago? No, bad bad bad. This is taking an over-abused term and making it even worse. If a vulnerability is found and reported to the vendor before it is exploited, is it still 0-day (tree, forest, no one there to hear it falling)?
Short of Microsoft admitting they knew it was being exploited, we can only speculate. So, for fun, let's give them a pass on that one and assume it was like any other privately disclosed bug. They were working it like any other issue, fixing, patching, regression testing, etc. Good Microsoft!
Bad Microsoft! But, before you jump on the bandwagon, bad journalists! Bad security community!
Why do you care they sat on this one vulnerability for six months? Why is that such a big deal? Am I the only one who missed the articles pointing out that they actually sat on five code execution bugs for longer? Where was the outpour of blogs or news articles mentioning that "aurora" was one of six vulnerabilities reported to them during or before September, all in MSIE, all that allowed remote code execution (tree, forest, not seeing one for the other)?
| CVE |
Reported to MS |
Disclosed |
Time to Patch |
| CVE-2010-0244 |
2009-07-14 |
2010-01-21 |
6 Months, 7 Days (191 days) |
| CVE-2010-0245 |
2009-07-14 |
2010-01-21 |
6 Months, 7 Days (191 days) |
| CVE-2010-0246 |
2009-07-16 |
2010-01-21 |
6 Months, 5 Days (189 days) |
| CVE-2010-0248 |
2009-08-14 |
2010-01-21 |
5 Months, 7 days (160 days) |
| CVE-2010-0247 |
2009-09-03 |
2010-01-21 |
4 Months, 18 days (140 days) |
| CVE-2010-0249 |
2009-09-?? |
2010-01-14 |
4 Months, 11 days (133 days) - approx |
| CVE-2010-0027 |
2009-11-15 |
2010-01-21 |
2 Months, 6 days (67 days) |
| CVE-2009-4074 |
2009-11-20 |
2009-11-21 |
2 Months, 1 day (62 days) |
Remind me again, why the "Aurora" conspiracy is noteworthy? If Microsoft knew of six remote code execution bugs, all from the September time-frame, why is one any more severe than the other? Is it because one was used to compromise hosts, detected and published in an extremely abnormal fashion? Are we actually trying to hold Microsoft accountable on that single vulnerability when the five others just happened not to be used to compromise Google, Adobe and others?
Going back to the Wired article, they say on the second to last paragraph: "On Thursday, meanwhile, Microsoft released a cumulative security update for Internet Explorer that fixes the flaw, as well as seven other security vulnerabilities that would allow an attacker to remotely execute code on a victim’s computer." Really, Wired? That late in the article, you gloss over "seven other vulnerabilities" that would allow remote code execution? And worse, you don't point out that Microsoft was informed of five of them BEFORE AURORA?
Seriously, I am the first one to hold Microsoft over the flames for bad practices, but that goes beyond my boundaries. If you are going to take them to task over all this, at least do it right. SIX CODE EXECUTION VULNERABILITIES that they KNEW ABOUT FOR SIX MONTHS. Beating them up over just one is amateur hour in this curmudgeonly world.
Posted in Vulnerability Disclosure | no comments
Posted by lyger
Tue, 05 Jan 2010 03:16:00 GMT
OSVDB has just announced its Winter 2010 Fundraising Goal , which currently hopes to raise $9,000 before April 1, 2010. Looking back over the last couple of years of advances in the project, it's easy to see not only how the project has evolved, but also how operational costs have increased to cover software development, content development, server hosting costs, and other assorted expenses to help keep OSVDB interesting, timely, and functional.
On an average, OSVDB has promoted 10,000 to 12,000 vulnerabilites per year for the last the last few years. Breaking that down to about 1,000 per month, the vulnerabilities in the database are gathered from a variety of sources, such as CVE, Secunia and various vendor changelogs and advisories. Keeping up a pace of about 1,000 newly listed vulerabilities per month hasn't always been easy... but it's about to get interesting.
I recently resigned my position as Chief Communications Officer with Open Security Foundation to focus more on the "content" aspect of OSVDB and DataLossDB. The extra time gained from giving up administrative duties will hopefully help the sites keep content fresh and accurate. Jericho, CJI, and I are going to keep working on new vulnerabilities as we can and keep the ball rolling.
With that said, I'm issuing a challenge: For every new vulnerability issued an OSVDB ID from January 1, 2010 through April 1, 2010, I will donate $0.50 (fiddy cents) of my own money to the OSVDB fundraiser. I challenge anyone who feels that OSVDB is a valuable resource to the security community to match my donation.
To make a few points clear:
1. I am no longer an OSF officer. My donation comes out of my own pocket, not the OSF coffers, and I will accept no compensation from OSF for this offer. If I have to sell a kidney, I hear you only need one anyway.
2. Since Jericho, CJI, and I are the ones who generally push new vulnerabilities to "live" status, there will be no slacking to save my bank account. If anything, I'll be more motivated to push the potential donations higher and they'll be motivated to watch me suffer on April 2. That's how we roll.
3. At an average of 1,000 vulnerabilities a month, over three months I expect to donate $1,500. It may be less, it may be more. There will be a maximum cap of $2,500 donated by myself and anyone who matches it. If we can push 5,000 vulns in three months, something is either very wrong or very great. YMMV.
4. If five other people and/or groups take me up on the challenge and we meet our average, OSF will meet its goal. We still hope everyone else will contribute not only time but *effort* to help the project.
5. This is not a gimmick. It's not smoke and mirrors. You can see what OSVDB pushes on a daily basis on our Twitter page and on our contributors page. We will push all legitimate vulnerabilities just as we have been doing for years. If we're slow for a few days, don't worry. We'll catch up.
So, that's the challenge. If anyone wants to play and match my offer, please contact us at moderators[at]osvdb.org. I'm going back to work now.
Posted in OSVDB News | no comments
