Monthly Archives: January, 2008

The purpose of tracking numbers.. (Sun)

Early in 2006, I posted about HP using multiple identifiers for the same vulnerability. Recently, Sun Microsystems has done a little overhaul to their advisory pages and I noticed that they too now use entirely too many tracking numbers.

For example, this Sun advisory has the following:

  1. Document ID: 200582
  2. Old Document ID: (formerly 103143)
  3. Bug ID: 6497289
  4. SA Document Body: PPGNRLA Internal ID use only.

Why is one tracking number so difficult?

Ruby on Rails developers needed! Testers too!

Ruby on Rails developers needed! Testers too!
by d2d

We are looking for a few Ruby on Rails programmers to help us further the OSVDB project. The positions are volunteer, and we have little to offer outside of some interesting programming challenges, kudos, and satisfaction in helping to further a great resource for the community.

The requirements are that you have at least some experience with rails and subversion, as well as working with a team. If you’ve worked with STI, RESTful stuff, and all manner of XML parsing fun, that would be a plus.

We’re also looking for testers to help us hammer away at new code before pushing it live. The testing help is also volunteer, and requires very little time commitment. Essentially, when the developers need something tested, we’ll shoot out an email to the testing volunteers to hammer away at something specific.

If either of these are of interest, send an email to and let us know which role you’re interested in.

OSVDB API and Enhanced Cross-referencing

OSVDB API and Enhanced Cross-referencing
by d2d

We are pleased to announce the OSVDB API beta.

Integration and cross-referencing with OSVDB just got a lot easier via the new application programming interface (API), which can provide multiple result formats to fit various needs. Queries can be run against any number of correlation factors, including CVE ID, Microsoft Bulletin ID, Bugtraq ID, and a host of other common reference points. The API is also under constant development, particularly during beta, and suggestions for improvements are quickly and easily implemented by the OSVDB development team.

Some technical details about the API include:

  • It is a RESTful interface to the OSVDB database
  • It returns your choice of XML or CSV
  • Allows OSVDB ID correlation to a growing list of other references and integrators products
  • And importantly, it is free – though donations are appreciated.

To begin using the API, first, login or create an account, then visit the API overview for general information, or skip right to the API Documentation to get started. During beta and perhaps beyond, accounts are limited to 100 queries per day. To request a greater allotment of daily queries, fill out the Integration request form.

In other news, we have done some significant mapping work over the last month. We have broken out certain references into a new category called “Tools & Filters”. A good example of how this section works is OSVDB ID 40229. We then worked to map:

  • Over 9,500 OSVDB ID’s to Nessus nasls
  • Over 1,000 OSVDB ID’s to Snort filter ID’s
  • Over 400 OSVDB ID’s to Nikto scans

We are also in the process of working with other vendors and products to map out more tools. If you have an open source or commercial security product, and you reference vulnerabilities, contact moderators for information on how we can include your filters/rules in our vulnerability listings.