Posted by jkouns
Thu, 26 Jan 2006 06:18:06 GMT
The Open Source Vulnerability Database (OSVDB), a project to catalog and describe the world’s security vulnerabilities, has had a challenging yet successful year. The project is fortunate to have the continued support of some devoted volunteers, yet remains challenged to keep up with the increasing number of vulnerability reports, as well as work on the back-log of historical information. Volunteers are continually sought to help us achieve our short and long-term goals.
Despite resource constraints, there have been many exciting successes in 2005:
* A major project goal of obtaining 501(c)3 non-profit status from the U.S. IRS was achieved. Obtaining non-profit status was critical to the long-term viability of the project. This status allows OSVDB to take charitable donations to help cover operating expenses, while providing a tax benefit to donor companies and individuals.
* The vulnerability database has grown to over 22,000 entries thanks to the dedicated work of Brian Martin, OSVDB Content Manager. At the end of December, over 10,000 of those vulnerabilities were worked on by volunteers to provide more detailed and cross-referenced information. Our volunteer "Data Manglers" and Brian have helped ensure OSVDB is the most complete resource for vulnerability information on the Internet.
* OSVDB started a blog in April, as a way for us to keep the public better informed on the project's status. Very quickly we realized the blog was a perfect place to discuss and comment on various aspects of vulnerabilities, and has become a successful mechanism for communicating with the security industry. If you have suggestions for topics, or would like to join the discussion, please visit the OSVDB blog.
We would like to also recognize our sponsors and thank them for their support. Digital Defense, Churchill & Harriman, Audit My PC, and Opengear have all provided important resources to OSVDB over the past year. We would also like to thank Renaud Deraison of the Nessus Project and HD Moore of the Metasploit Project for their support. Lastly, we of course want to thank our volunteers, and note that several of them have contributed to Nessus Network Auditing, available from Syngress Publishing.
We are very pleased with the progress and growth of OSVDB over the past year, but do not want to downplay the importance of recruiting new volunteers, as well as retaining our current ones, in order to get through the considerable back-log of vulnerabilities that need further work. This task is daunting, but will not only help retain valuable historical vulnerability information, but will also allow OSVDB to generate meaningful statistics for past and current years.
We have had a great year, and are looking forward to another one! We are of course still seeking assistance to help keep OSVDB successful–the project has many ideas in need of financial and volunteer support to implement. For more information on supporting OSVDB through volunteering or sponsorship, please contact moderators@osvdb.org.
Posted in OSVDB News | no comments
Posted by jericho
Mon, 19 Dec 2005 06:41:48 GMT
Ok, OSVDB is not really closing. But based on my experience with running and participating in projects and sites, the second you announce a valuable resource is going away, people come out of the woodwork to volunteer or support the project to keep it going. When the Attrition.org Defacement Mirror closed, I received several dozen mails asking, begging, even demanding that the project keep running. So why didn’t these same people help out for the years prior to the announcement? If a project or resource is that helpful and that valuable to you, why not support them?
Without going into a full rant or debate on the nature of open source (OS), one of the most prevalent arguments for OS is that the community can help. For OS code, it is argued that anyone can look at the source code and find bugs.. but they rarely do. For OS projects, it is argued that volunteers work on projects for the love of it, not because it’s a source of money for food and shelter.. but they often don’t.
That said, OSVDB could substantially benefit from one or two developers before any such closing. Ideally we need a couple folks with solid PHP coding experience, PostgreSQL database manipulation, and the willingness / desire / time to work on the project. We can promise you fortune and fame! Ok not really. What we can offer you:
- The ability to develop and enhance the project in a leadership role (we’ll even call you ‘god’ if you want)
- The chance to significantly change the vulnerability database landscape (yes, really)
- Work on a number of long term development projects (we have ideas, you have skills!)
- The freedom to work when and how you want, with little to no supervision (go wild)
Interested? Mildly curious? Know someone you want to subject to us? Contact us, or pass this info along please!
Posted in OSVDB News | no comments
Posted by jericho
Tue, 26 Jul 2005 21:24:47 GMT
Several project leaders and OSVDB volunteers will be attending Defcon later this week. If you would like to meet up, hang out, ask questions or pledge time (booze?!), feel free to track us down. Odds are we will be around the Alexis Park pool during the evening hours. We might even have some stickers to hand out (trade for booze?!)!
Posted in OSVDB News | no comments
Posted by jkouns
Sat, 09 Apr 2005 05:17:18 GMT
The Open Source Vulnerability Database, a project to catalog and describe the world’s security vulnerabilities, has continued to focus on improving database content and increasing services offered to the security community.
Since the official launch of OSVDB in March 2004, the vulnerability database has grown from 1000 to over 6700 complete entries. This rapid growth has far surpassed initial estimates, and the project’s many successes show that the open source community can truly deliver world-class security information.
OSVDB’s rapid success is directly attributed to the dedicated volunteers who help populate, maintain and enhance the database. Their hard work has already allowed OSVDB to exceed the amount of vulnerability information available in some databases. At the current rate of growth, the project is poised to surpass the other vulnerability databases by the end of 2005. “It will soon become mandatory for security professionals to use OSVDB if they want the most thorough information available,” says Brian Martin, one of the project leaders.
The OSVDB leadership team has been aggressively working to ensure the long term viability of the project. After improving content to be recognized as an industry leader, the team determined that incorporating as a non-profit organization was imperative to OSVDB’s future success. Founded to formally run the OSVDB project, the Open Security Foundation has been approved as a 501(c)3 non-profit organization under United States law. Jake Kouns, OSVDB project lead, says, “Achieving our non-profit status will allow us to seek funding and ensure free vulnerability information will be available for years to come.”
Two of the OSVDB project leaders, Brian Martin and Jake Kouns, will be presenting a talk called “Vulnerability Databases: Everything is Vulnerable” at cansecwest/core05 in May 2005. The presentation aims to provide an unbiased review of vulnerability databases, and addresses the value they should provide to security practitioners.
Posted in OSVDB News | no comments
Posted by jkouns
Tue, 31 Aug 2004 05:16:44 GMT
The Open Source Vulnerability Database, a project to catalog and describe the world’s security vulnerabilities, has expanded its offering and opened a vendor dictionary that serves as a centralized resource for vendor contact information for public use on 31 August 2004.
The OSVDB vendor dictionary is a resource through which the security community will be able to gather contact information for a desired vendor. The vendor dictionary is a list of vendors, indexed by name, which may be freely searched and utilized by all who wish to find both general and security contact information. The service also provides a way for vendors to keep their information current within the dictionary. With straightforward forms, OSVDB will be a concise and central repository for up-to-date, accurate vendor contact information– and it’s free.
“Vendors expect to be contacted when researchers find security holes– no matter what.” says Jake Kouns, project lead for OSVDB. “However, many vendors do not provide easy to locate contact information on their websites. This makes it challenging, time consuming and sometimes impossible for security researchers to follow responsible disclosure practices.”
OSVDB aims to make it simple for contact information to be shared between researchers and vendors. The vendor dictionary is essentially a giant phonebook of vendors with current contact information, interfaced directly with the OSVDB database. It is designed for vendors, security professionals, and the security community alike. Many security researchers that routinely practice ethical disclosure find themselves unable to do so, due to the fact that the vendor contact information required is sometimes too challenging to find. Alexander Koren, an OSVDB volunteer from Germany, explains, “There will no longer be a need to dig through web pages to hopefully find all the necessary information anymore.” OSVDB realizes the necessity for a current and free resource for this information, and has responded by developing the dictionary to fill this gap.
Even though anyone can help maintain the dictionary, OSVDB calls for all software and hardware vendors to visit the vendor dictionary and ensure that their contact information is accurate and complete. OSVDB also urges vendors to reassess the means through which a researcher may contact them with vulnerability research. While populating the dictionary, it was noticed that many vendors utilize web forms for a user to submit information, which is not always convenient or the preferred contact medium. OSVDB encourages vendors to follow RFC 2142 (section 4) guidelines and have a specific security email address available for use by researchers. This will facilitate the ability for vulnerability researchers to communicate with vendors, and to ensure vulnerability reports are not missed.
Brandon Shilling, a member of the OSVDB development team who worked extensively on the vendor dictionary, says, “The function of the dictionary is merely just a foundation for how OSVDB intends to revolutionize the way vulnerabilities are disclosed to the vendor.” The OSVDB dictionary is the first phase for additional upcoming services including assisting researchers with ethically disclosing vulnerabilities, helping to verify vulnerabilities, and the OSVDB vulnerability portal.
Posted in OSVDB News | no comments
Posted by jkouns
Tue, 01 Jun 2004 05:15:37 GMT
We have had an overwhelming positive response since the go-live of the Open Source Vulnerability Database project, and would like to thank everyone that has supported OSVDB. In the two months, we’ve gotten many new volunteers and have over fifty active data manglers. Thanks to their dedication and hard work, we have made great progress updating the database content, and have 3000 vulnerabilities in the “stable” status.
As well as the database content, we have achieved a project milestone to help support the growth and adoption of OSVDB. In addition to the RSS feed (http://www.osvdb.org/backend/rss.php) of daily “stable” vulnerabilities, the entire database is now available in XML format. Custom scripts are available to load the data into PostgreSQL, MySQL and Microsoft Access databases. Any feedback on the XML format or scripts is greatly appreciated.
Also on the new feature list is the OSVDB XML-RPC server. This had been requested by numerous security tools to help the active integration with and usage of OSVDB. We have developed our own library of procedure calls to be used as a means of retrieving data via XML-RPC. This library may be utilized to search and display data contained in the OSVDB database. We want to send special thanks to Brandon for all of his hard work and making this big step for OSVDB possible!
Since the OSVDB go-live, the development team has been inundated with requests for bug fixes, enhancements and major functionality changes. They previously posted a request for new developers, and are still seeking additional help. If interested, please email Forrest Rae.
We have had many people contact us and offer support for the project. We are currently determining our long-term hosting strategy, and appreciate the many offers of mirror space. When we have a clear strategy defined, we will be reviewing and evaluating all of the offers. Most notable of the support offers, we’d like to thank Churchill & Harriman (http://www.chus.com/), who became our first financial sponsor. We appreciate their support to help ensure the long-term success of OSVDB, and hope others will follow their lead.
OSVDB continues to aggressively update the content of the database, as well as strive to complete the objectives we have previously outlined. We will also continue to update the community as major accomplishments are achieved. As always, please feel free to contact us with ideas, questions or feedback.
Posted in OSVDB News | no comments
Posted by jkouns
Wed, 31 Mar 2004 06:14:46 GMT
The Open Source Vulnerability Database (OSVDB), a project to catalog and describe the Internet’s security vulnerabilities, opened for public use on 31 March 2004.
The OSVDB project was launched in 2002 following a realization in the security community that no independent, community-operated vulnerability database existed. There were, and still are, numerous vulnerability databases. Some of these databases are managed by private interests to meet their own requirements, while others contain a limited subset of vulnerabilities or have significant restrictions on their content. None are simultaneously comprehensive, open for free use, and answerable to the community. The OSVDB’s organizers set out to implement a vulnerability database that meets all those requirements.
The OSVDB project has been successful in fulfilling its original objectives. The project concentrated at first on establishing a core group of project organizers, on creating the technical infrastructure to collect and validate vulnerability data, and on building a team of contributors to create the open-source vulnerability records. These goals have been met, and the OSVDB team is now planning its next stage of growth. After a significant period of development - in effect, an “alpha” release - it has been opened to the public as of 31 March 2004 at http://www.osvdb.org/.
A GROWING PROBLEM
According to CERT’s statistics, the number of computer security vulnerabilities found each year has risen over two thousand percent since 1995. Tracking these vulnerabilities and their cures is critical for those who protect networked systems against accidental misuse and deliberate attack, from home users and small businesses to globe-spanning enterprises.
Annual vulnerability announcements number in the thousands, well beyond the capacity for human memory to manage. Well-organized databases, with verified contents and flexible search abilities, are required if these vulnerabilities are to be controlled by the security community. The OSVDB provides the necessary structure, technology, and content to support that community requirement for vulnerability management.
AN OPEN SOLUTION
The OSVDB’s main goal is to be complete and to be without bias. It should serve as one-stop shopping for all vulnerability needs. Developers creating vulnerability-assessment tools, system administrators protecting servers and networks, business staff assessing risks and remedies, academic researchers documenting analyzing the past and future of network security: all expend effort to identify vulnerabilities, all work to document them consistently, all can benefit from a single, comprehensive source of vulnerability data. The OSVDB is this source, reducing duplication of effort while it promotes data consistency.
The OSVDB is unbiased and neutral in its practices for accepting, reviewing, and publishing vulnerabilities. Its open acceptance of community input and internal review processes ensure that the vulnerability database is not colored by vendor-related biases. OSVDB organizers believe that more than one vulnerability database is needed to meet the full variety of community requirements. While it references the other vulnerability databases, it develops its own database entries to ensure that there are no restrictions on distribution and re-use of the OSVDB vulnerability data: its contents are free of cost and free of restrictions on use.
FUTURE DIRECTIONS
Licensing
Research and analysis of licensing alternatives for the OSVDB products and services are underway. The OSVDB project team expects to produce the final project license in the second quarter of 2004. In the meantime, a working-draft license is in force (see the OSVDB website at http://www.osvdb.org/license.php).
Formal non-profit standing
The OSVDB team is currently working to provide the required legal status by incorporating an organization under United States law. The organization, tentatively named the Open Security Foundation, will be a private not-for-profit foundation. Its mission is to make information-technology (IT) security information and services freely available to all who need it. The foundation’s initial project will be the Open Source Vulnerability Database, but it will be capable of hosting additional security projects and will actively seek out suitable ones.
OSVDB ethical vulnerability disclosure
The OSVDB’s policy on the release of vulnerability information will incorporate clear guidelines on the timing of notification to the product developer, and of notification to the open security community. The OSVDB’s approach will support an ethical and predictable process for this release. The policy is expected to be published in the second quarter of 2004.
Recruitment
An open-source project succeeds or fails based on the support of its volunteer participants. The long-term viability of the OSVDB project depends on continuous success in recruiting new participants, and in recognizing the contributions of those who work within the project. Programs and initiatives to publicize the OSVDB’s work and to recruit new participants will be pursued in the second quarter of 2004 and continuously after that.
Expansion of the vulnerability database
In its initial development phase, the OSVDB project created an online content-management system to add vulnerability records to the database. The system supports the initial research and creation of records, the review process, and incorporation of the finalized records into the public database. Throughout initial use and testing, the system has been improved continuously to streamline the needed tasks and to make it easier to perform the research and cross-referencing needed to complete a vulnerability record. This focus on ease of use will help contributors work efficiently and will speed the creation of vulnerability records, leading to the desired expansion of the vulnerability database.
Advanced vulnerability retrieval
The vulnerability database is currently available in its entirety from the OSVDB website. The OSVDB is developing tools to make it easy to search the vulnerability database on-line so that straightforward queries are easy to make. For those requiring a higher degree of automation in querying and retrieving vulnerabilities, an XML-formatted version of the database will be developed so that automated processes can query it remotely. The OSVDB system will also prototype automated posting of vulnerabilities through an RSS-like “push” mechanism. Subscribers will receiver each new vulnerability at the moment it is cleared into the database, and can choose to set customized filters to receive a subset of those records as needed. These new features are intended to be put in place over the second and third quarters of 2004.
Active integration with vulnerability tools
Tracking existing and new vulnerabilities is one of the toughest challenges for developers of security tools. OSVDB is working to streamline the process of identifying and setting priorities for the vulnerabilities it provides to tool developers like the Nessus, Snort, and Nikto projects. In brief, the OSVDB will assist vulnerability-tool developers to identify vulnerabilities that are not already represented in their products, and will provide a way to identify the high-priority vulnerabilities for immediate attention.
CONCLUSION
The OSVDB is relatively new in the arena of open-source projects. It was first conceived in the summer of 2002, and has already put in place much of the organization, technology, and process needed to meet its initial goals. Continuing to build on that foundation, however, will allow the OSVDB to become more useful and more central to the information-technology security community. The upcoming year promises not just incremental improvements to the OSVDB, but also innovations to the existing legal and organizational structure of the project, a focus on recruitment of project participants, and technical advances to make the project even more valuable to the security community. The OSVDB online system can be found at www.OSVDB.org.
Complete information on the OSVDB’s aims and objectives can be found at: http://osvdb.org/documentation.php
MORE INFORMATION
Jake Kouns
Open Source Vulnerability Database Project
jkouns@osvdb.org
JOIN THE PROJECT
The network needs YOU! Check out the project FAQs at http://www.osvdb.org/faq.php, then join using the form at http://www.osvdb.org/newuser.php.
Posted in OSVDB News | no comments
Posted by jkouns
Tue, 16 Dec 2003 06:11:49 GMT
Some people have voiced concerns recently around the readiness and licensing of OSVDB. Although, one may question the motives we feel it is important to acknowledge and address the issues raised as they are valid concerns.
It is critical to understand that the current OSVDB web site is a beta “service”. Until March of 2004, it will undergo a lot of changes, the most noticeable being database population. In the coming months, there will be more fields associated with each vulnerability to further enhance the database and provide the relevant information needed. Even though all entries in the database are not in stable status it is possible to view all entries at this point.
One of the biggest tasks outstanding for OSVDB is refining the current licensing agreement. OSVDB is meant to be free to the information security community and needs to be properly licensed to ensure there are no legal issues for contributors to the project. However, there is one major concern that is still an unresolved issue. OSVDB does not want to have members of the security community volunteer their time, create an incredible database and then have the next commercial scanner come along and use the database to feed their scanning engine without supporting the project. If you have read the current terms of service you will see that it is not worded appropriately as this point but it on the list of things to be addressed.
OSVDB is not a company. While we have Digital Defense currently providing hardware and bandwidth support, they do not own the database. Furthermore, since the project is meant for the open source community, anyone can download the entire database at any time and manipulate it as they see fit. This is something you won’t find with any other public or private vulnerability database.
If you have concerns about the licensing of OSVDB please send your concerns and suggestions to moderators@osvdb.org.
Posted in OSVDB News | no comments
Posted by jkouns
Mon, 08 Dec 2003 06:04:47 GMT
The Open Source Vulnerability Database (http://www.osvdb.org) is currently recruiting security enthusiasts to support the project. The concept of OSVDB was introduced to create an unbiased, vendor neutral vulnerability database for utilization by individuals in the information security community.
We have an immediate need for individuals with information security experience to join the project and help update the database. The role is expected to update at least one vulnerability per day over a period of a month. It is an average estimate that it may take 15 to 30 minutes per vulnerability. If you are interested in contributing please visit the website to read more about the project and then apply at http://www.osvdb.org/submissions.php.
We are looking for long term support from the security community in a number of ways. We would like to see open source products, websites, and companies start to reference OSVDB IDs. Even though OSVDB is a non-profit project, donations of hardware, Microsoft golf shirts and money would greatly help. Actually, we are looking for some hard drives to help our storage constraints as the database expands.
The OSVDB database is currently on schedule to go live 03/31/2004. Without the support of the community this effort would not be possible! Please contact jkouns@jkouns.com with any questions or feedback.
Posted in OSVDB News | no comments
Posted by jkouns
Sun, 30 Nov 2003 06:00:00 GMT
Loads of improvements have happened on the backend and many thanks have to go out to Forrest for his hard work! While in our transition phase we have had two truly dedicated manglers (Thanks Sullo and Owentl). Many others have helped when they have had time and we are thankful and are also hoping for more support.
There have been so many improvements to streamline the backend processes and there are more that are coming. The most important feature that has been implemented is having built in Templates for the External Texts. The goal of having templates is not to be restrictive but to make an attempt to standardize the format and wording of the database while reducing the time it takes to mangle the entry.
Keep a watch out for more improvements!
Posted in OSVDB News | no comments
