We just recently noticed that OSVDB was discussed during a podcast called Faceoff started by Jade Robbins and Mark Sanborn. In Episode 5: Scaling to Hit it Big, at about 19:54, they talk about OSVDB for several minutes. They cover the project in general and also review several of the basic features of OSVDB and how someone can use the site. They speak about the search capabilities and even mention that OSVDB has a vulnerbaility from back in 1965. This was submitted by Ryan Russell as part of our oldest vulnerability contest and I can now say Ryan has finally received his OSVDB schwag….. only took a couple years for him to get it! =)
They also explain how in addition to the website that the OSVDB database itself can be downloaded and used as well. To clarify a point they discuss, once you create an account with OSVDB you can download the database as many times as you want. They also spend some time discussing our Watchlist feature which I thought was pretty cool that it was mentioned. For those that are not aware, when you create an account you can then setup two types of Watchlists.
The Vendor/Product Watch list
This watchlist will alert you to vulnerabilities for specific products that you subscribe to. Alerts are generated when a vulnerability is updated to include the product and vendor information. Soon, we may introduce a feature that will enable alerting as soon as the vulnerability is processed through our systems.
The Mailing List Aggregation Watch list
OSVDB allows you to subscribe to roughly 20 vendor advisory mailing lists. The advisory mailings are sent to OSVDB, we process them, and forward them on to you. That way, rather than managing 20 individual advisory subscriptions, you only need to manage one through OSVDB.
Thanks to the guys at Faceoff for their support and it is worth listening to the entire podcast. It did make us laugh a bit as they commented at one point that WordPress has all kinds of vulnerabities. Most of our dedicated readers know the ongoing WordPress issues we had and our eventually move away from it! =)
Thanks also to Ryan Heimbuch for suggesting OSVDB to be reviewed.
OSVDB can also now be followed on Twitter: http://www.twitter.com/osvdb
This is a question OSVDB moderators, CVE staff and countless other VDB maintainers have asked. Today, Gunter Ollmann with IBM X-Force released his research trying to answer this question. Before you read on, I think this research is excellent. The relatively few criticisms I bring up are not the fault of Ollmann’s research and methodology, but the fault of his VDB of choice (and *every* other VDB) not having a complete data set.
Skimming his list, my first thought was that he was missing someone. Doing a quick search of OSVDB, I see that Lostmon Lords (aka ‘lostmon’) has close to 350 vulnerabilities published. How could the top ten list miss someone like this when his #10 only had 147? Read down to Ollmann’s caveat and there is a valid point, but sketchy wording. The data he is using relies on this information being public. As the caveat says though, “because they were disclosed on non-public lists” implies that the only source he or X-Force are using are mail lists such as Bugtraq and Full-disclosure. Back in the day, that was a pretty reliable source for a very high percentage of vulnerability information. In recent years though, a VDB must look at other sources of information to get a better picture. Web sites such as milw0rm get a steady stream of vulnerability information that is frequently not cross-posted to mail lists. In addition, many researchers (including lostmon) mail their discoveries directly to the VDBs and bypass the public mail lists. If researchers mail a few VDBs and not the rest, it creates a situation where the VDBs must start watching each other. This in turn leads to “VDB inbreeding” that Jake and I mentioned at CanSecWest 2005, which is a necessary evil if you want more data on vulnerabilities.
In May of 2008, OSVDB did the same research Ollmann did and we came up with different results. This was based on data we had available, which is still admittedly very incomplete (always need data manglers.) So who is right? Neither of us. Well, perhaps he is, perhaps we are, but unfortunately we’re both working with incomplete databases. As a matter of my opinion, I believe OSVDB has better coverage of vulnerabilities, while X-Force clearly has better consistency in their data and a fraction of the gaps we do.
Last, this data is interesting as is, but would be really fascinating if it was mixed with ‘researcher confidence’ (a big thing of Steve Christey/CVE and myself), in which we track a researcher’s track record for accuracy in disclosure. Someone that disclosed 500 vulnerabilities last year with a 10% error rate should not be above someone who found 475 with a 0% error rate. In addition, as Ollmann’s caveat says, these are pure numbers and do not factor in hundreds of XSS versus remote code execution in operating system default install services. Having a weight system that can be applied to a vulnerability (e.g., XSS = 3, SQLi = 7, remote code exec = 9) that is then factored into researcher could move beyond “who discovered the most” and perhaps start to answer “who found the most respectable vulnerabilities”.