Posted by jkouns
Tue, 16 Dec 2003 06:11:49 GMT
Some people have voiced concerns recently around the readiness and licensing of OSVDB. Although, one may question the motives we feel it is important to acknowledge and address the issues raised as they are valid concerns.
It is critical to understand that the current OSVDB web site is a beta “service”. Until March of 2004, it will undergo a lot of changes, the most noticeable being database population. In the coming months, there will be more fields associated with each vulnerability to further enhance the database and provide the relevant information needed. Even though all entries in the database are not in stable status it is possible to view all entries at this point.
One of the biggest tasks outstanding for OSVDB is refining the current licensing agreement. OSVDB is meant to be free to the information security community and needs to be properly licensed to ensure there are no legal issues for contributors to the project. However, there is one major concern that is still an unresolved issue. OSVDB does not want to have members of the security community volunteer their time, create an incredible database and then have the next commercial scanner come along and use the database to feed their scanning engine without supporting the project. If you have read the current terms of service you will see that it is not worded appropriately as this point but it on the list of things to be addressed.
OSVDB is not a company. While we have Digital Defense currently providing hardware and bandwidth support, they do not own the database. Furthermore, since the project is meant for the open source community, anyone can download the entire database at any time and manipulate it as they see fit. This is something you won’t find with any other public or private vulnerability database.
If you have concerns about the licensing of OSVDB please send your concerns and suggestions to moderators@osvdb.org.
Posted in OSVDB News | no comments
Posted by jkouns
Mon, 08 Dec 2003 06:04:47 GMT
The Open Source Vulnerability Database (http://www.osvdb.org) is currently recruiting security enthusiasts to support the project. The concept of OSVDB was introduced to create an unbiased, vendor neutral vulnerability database for utilization by individuals in the information security community.
We have an immediate need for individuals with information security experience to join the project and help update the database. The role is expected to update at least one vulnerability per day over a period of a month. It is an average estimate that it may take 15 to 30 minutes per vulnerability. If you are interested in contributing please visit the website to read more about the project and then apply at http://www.osvdb.org/submissions.php.
We are looking for long term support from the security community in a number of ways. We would like to see open source products, websites, and companies start to reference OSVDB IDs. Even though OSVDB is a non-profit project, donations of hardware, Microsoft golf shirts and money would greatly help. Actually, we are looking for some hard drives to help our storage constraints as the database expands.
The OSVDB database is currently on schedule to go live 03/31/2004. Without the support of the community this effort would not be possible! Please contact jkouns@jkouns.com with any questions or feedback.
Posted in OSVDB News | no comments
Posted by jkouns
Sun, 30 Nov 2003 06:00:00 GMT
Loads of improvements have happened on the backend and many thanks have to go out to Forrest for his hard work! While in our transition phase we have had two truly dedicated manglers (Thanks Sullo and Owentl). Many others have helped when they have had time and we are thankful and are also hoping for more support.
There have been so many improvements to streamline the backend processes and there are more that are coming. The most important feature that has been implemented is having built in Templates for the External Texts. The goal of having templates is not to be restrictive but to make an attempt to standardize the format and wording of the database while reducing the time it takes to mangle the entry.
Keep a watch out for more improvements!
Posted in OSVDB News | no comments
Posted by jkouns
Wed, 15 Oct 2003 05:01:59 GMT
2003-11-31 - Backend Processes Finalized
2003-12-31 - Public Webpage Redesigned
2004-01-15 - OSVDB Recruiting Completed
2004-02-29 - Web Checks Integrated
2004-03-31 - OSVDB Database Goes Live
Posted in OSVDB News | no comments
Posted by jkouns
Fri, 02 Aug 2002 04:59:03 GMT
At the Black Hat and Defcon security conferences, security community volunteers announce two important new services for the security community and a new partnership for community-based security information sources. The first is the VulnDiscuss mailing list, a new full disclosure forum that compliments the existing VulnWatch accouncement list. VulnDiscuss is meant to foster the discussion of security issues and vulnerabilities by providing a forum for recent security announcements to be discussed. VulnDiscuss will be under moderator control to keep it topical, and access is open to anyone who wishes to participate or observe.
The second is the Open Source Vulnerability Database (OSVDB). OSVDB - A database built and maintained for the community, by the community. The goal of the Open Source Vulnerability Database is to provide accurate, technical, up to date, unbiased, and reliable vulnerability information to the community for free.
The redundant time, effort and money that individual people and companies put into maintaining proprietary databases will be cut by exorbitant amounts by participating in a community that is working toward a common goal. The database will have no commercial licensing restrictions, allowing corporations, businesses, and individuals alike to use this information in any way they wish without having to pay a dime.
The OSVDB project will be debuting with thousands of vulnerability entries provided by databases donated by Digital Defense, Inc., and SensePost. This will provide a strong base to start from, allowing OSVDB to immediately track new vulnerabilities and provide quality data from the start. The continued help of Farm9, NMRC, Neohapsis, Packetstorm, VulnWatch, and many other industry experts is invaluable to this project.
And finally the third is a formal partnership between multiple community-based security information sources: PacketStorm, Open Source Vulnerability Database, Alldas.org, and VulnWatch. The partnership will come together under the Internetworked Security Information Services initiative (ISISi) title, which will remain a non-profit, vendor-neutral entity run by volunteers from the security community. All involved projects share the common goal of providing accessible information security resources useful for researchers, IT Professionals, and the general public, while adhering to a not-for-profit operation model. The initiative allows the projects to share resources and volunteers, eliminate redundancy, and provide a single organized access point to all information which is currently dispersed amongst the individual projects. Current ISISi information is available at www.isisi.org.
“[ISISi] allows us to pool our resources and increase the effectiveness of our respective initiatives while giving information security professionals co-ordinated, higher quality, open source security information than was possible previously.”
- Emerson Tan, Spokesman and Ideologue, Packetstormsecurity.org.
“Each of the projects involved in this initiative have committed to remaining independent and not-for-profit, this is a key requirement for participation as we want this to be a community supported effort, for the community by the community.”
- Steve Manzuik, founder and co-moderator of VulnWatch.
The individual projects can be contacted at the addresses below.
VulnWatch. Full disclosure security forums and resources. Press contact: Steve Manzuik, steve@vulnwatch.org.
Alldas.org. The most complete and up to date mirror of web site defacements that includes statistics and trend analysis. Press contact: press@alldas.org.
PacketStorm. Repository of vulnerability and exploit information. Press contact: Emerson Tan, et@c4i.org.
OSVDB.org. A database built and maintained for the community, by the community. Press contact: moderators@osvdb.org.
Posted in OSVDB News | no comments
