The Open Source Vulnerability Database (OSVDB), a project to catalog and describe the world’s security vulnerabilities, has had a challenging yet successful year. The project is fortunate to have the continued support of some devoted volunteers, yet remains challenged to keep up with the increasing number of vulnerability reports, as well as work on the back-log of historical information. Volunteers are continually sought to help us achieve our short and long-term goals.
Despite resource constraints, there have been many exciting successes in 2005:
- A major project goal of obtaining 501(c)3 non-profit status from the U.S. IRS was achieved. Obtaining non-profit status was critical to the long-term viability of the project. This status allows OSVDB to take charitable donations to help cover operating expenses, while providing a tax benefit to donor companies and individuals.
- The vulnerability database has grown to over 22,000 entries thanks to the dedicated work of Brian Martin, OSVDB Content Manager. At the end of December, over 10,000 of those vulnerabilities were worked on by volunteers to provide more detailed and cross-referenced information. Our volunteer “Data Manglers” and Brian have helped ensure OSVDB is the most complete resource for vulnerability information on the Internet.
- OSVDB started a blog in April, as a way for us to keep the public better informed on the project’s status. Very quickly we realized the blog was a perfect place to discuss and comment on various aspects of vulnerabilities, and has become a successful mechanism for communicating with the security industry. If you have suggestions for topics, or would like to join the discussion, please visit the OSVDB blog.
We would like to also recognize our sponsors and thank them for their support. Digital Defense, Churchill & Harriman, Audit My PC, and Opengear have all provided important resources to OSVDB over the past year. We would also like to thank Renaud Deraison of the Nessus Project and HD Moore of the Metasploit Project for their support. Lastly, we of course want to thank our volunteers, and note that several of them have contributed to Nessus Network Auditing, available from Syngress Publishing.
We are very pleased with the progress and growth of OSVDB over the past year, but do not want to downplay the importance of recruiting new volunteers, as well as retaining our current ones, in order to get through the considerable back-log of vulnerabilities that need further work. This task is daunting, but will not only help retain valuable historical vulnerability information, but will also allow OSVDB to generate meaningful statistics for past and current years.
We have had a great year, and are looking forward to another one! We are of course still seeking assistance to help keep OSVDB successful–the project has many ideas in need of financial and volunteer support to implement. For more information on supporting OSVDB through volunteering or sponsorship, please contact firstname.lastname@example.org.
We have had an overwhelming positive response since the go-live of the Open Source Vulnerability Database project, and would like to thank everyone that has supported OSVDB. In the two months, we’ve gotten many new volunteers and have over fifty active data manglers. Thanks to their dedication and hard work, we have made great progress updating the database content, and have 3000 vulnerabilities in the “stable” status.
As well as the database content, we have achieved a project milestone to help support the growth and adoption of OSVDB. In addition to the RSS feed (http://www.osvdb.org/backend/rss.php) of daily “stable” vulnerabilities, the entire database is now available in XML format. Custom scripts are available to load the data into PostgreSQL, MySQL and Microsoft Access databases. Any feedback on the XML format or scripts is greatly appreciated.
Also on the new feature list is the OSVDB XML-RPC server. This had been requested by numerous security tools to help the active integration with and usage of OSVDB. We have developed our own library of procedure calls to be used as a means of retrieving data via XML-RPC. This library may be utilized to search and display data contained in the OSVDB database. We want to send special thanks to Brandon for all of his hard work and making this big step for OSVDB possible!
Since the OSVDB go-live, the development team has been inundated with requests for bug fixes, enhancements and major functionality changes. They previously posted a request for new developers, and are still seeking additional help. If interested, please email Forrest Rae.
We have had many people contact us and offer support for the project. We are currently determining our long-term hosting strategy, and appreciate the many offers of mirror space. When we have a clear strategy defined, we will be reviewing and evaluating all of the offers. Most notable of the support offers, we’d like to thank Churchill & Harriman (http://www.chus.com/), who became our first financial sponsor. We appreciate their support to help ensure the long-term success of OSVDB, and hope others will follow their lead.
OSVDB continues to aggressively update the content of the database, as well as strive to complete the objectives we have previously outlined. We will also continue to update the community as major accomplishments are achieved. As always, please feel free to contact us with ideas, questions or feedback.