Some people have voiced concerns recently around the readiness and licensing of OSVDB. Although, one may question the motives we feel it is important to acknowledge and address the issues raised as they are valid concerns.
It is critical to understand that the current OSVDB web site is a beta “service”. Until March of 2004, it will undergo a lot of changes, the most noticeable being database population. In the coming months, there will be more fields associated with each vulnerability to further enhance the database and provide the relevant information needed. Even though all entries in the database are not in stable status it is possible to view all entries at this point.
One of the biggest tasks outstanding for OSVDB is refining the current licensing agreement. OSVDB is meant to be free to the information security community and needs to be properly licensed to ensure there are no legal issues for contributors to the project. However, there is one major concern that is still an unresolved issue. OSVDB does not want to have members of the security community volunteer their time, create an incredible database and then have the next commercial scanner come along and use the database to feed their scanning engine without supporting the project. If you have read the current terms of service you will see that it is not worded appropriately as this point but it on the list of things to be addressed.
OSVDB is not a company. While we have Digital Defense currently providing hardware and bandwidth support, they do not own the database. Furthermore, since the project is meant for the open source community, anyone can download the entire database at any time and manipulate it as they see fit. This is something you won’t find with any other public or private vulnerability database.
If you have concerns about the licensing of OSVDB please send your concerns and suggestions to email@example.com.
The Open Source Vulnerability Database (http://www.osvdb.org) is currently recruiting security enthusiasts to support the project. The concept of OSVDB was introduced to create an unbiased, vendor neutral vulnerability database for utilization by individuals in the information security community.
We have an immediate need for individuals with information security experience to join the project and help update the database. The role is expected to update at least one vulnerability per day over a period of a month. It is an average estimate that it may take 15 to 30 minutes per vulnerability. If you are interested in contributing please visit the website to read more about the project and then apply at http://www.osvdb.org/submissions.php.
We are looking for long term support from the security community in a number of ways. We would like to see open source products, websites, and companies start to reference OSVDB IDs. Even though OSVDB is a non-profit project, donations of hardware, Microsoft golf shirts and money would greatly help. Actually, we are looking for some hard drives to help our storage constraints as the database expands.
The OSVDB database is currently on schedule to go live 03/31/2004. Without the support of the community this effort would not be possible! Please contact firstname.lastname@example.org with any questions or feedback.