Back in January, I issued a challenge to see how many new vulnerabilities would be entered into OSVDB over a three-month period. January went by, then February, and then March came and went. For anyone out there keeping score, here’s March’s totals:
2010-03-01: 32 vulns pushed, 164 vulns updated
2010-03-02: 27 vulns pushed, 149 vulns updated
2010-03-03: 9 vulns pushed, 73 vulns updated
2010-03-04: 53 vulns pushed, 207 vulns updated
2010-03-05: 17 vulns pushed, 94 vulns updated
2010-03-06: 9 vulns pushed, 56 vulns updated
2010-03-07: 4 vulns pushed, 103 vulns updated
2010-03-08: 25 vulns pushed, 125 vulns updated
2010-03-09: 42 vulns pushed, 157 vulns updated
2010-03-10: 24 vulns pushed, 243 vulns updated
2010-03-11: 7 vulns pushed, 64 vulns updated
2010-03-12: 52 vulns pushed, 148 vulns updated
2010-03-13: 4 vulns pushed, 15 vulns updated
2010-03-14: 2 vulns pushed, 43 vulns updated
2010-03-15: 18 vulns pushed, 136 vulns updated
2010-03-16: 77 vulns pushed, 232 vulns updated
2010-03-17: 31 vulns pushed, 277 vulns updated
2010-03-18: 48 vulns pushed, 458 vulns updated
2010-03-19: 3 vulns pushed, 224 vulns updated
2010-03-20: 25 vulns pushed, 100 vulns updated
2010-03-21: 3 vulns pushed, 222 vulns updated
2010-03-22: 18 vulns pushed, 101 vulns updated
2010-03-23: 0 vulns pushed, 60 vulns updated
2010-03-24: 5 vulns pushed, 20 vulns updated
2010-03-25: 39 vulns pushed, 162 vulns updated
2010-03-26: 38 vulns pushed, 245 vulns updated
2010-03-27: 40 vulns pushed, 95 vulns updated
2010-03-28: 18 vulns pushed, 41 vulns updated
2010-03-29: 14 vulns pushed, 329 vulns updated
2010-03-30: 46 vulns pushed, 413 vulns updated
2010-03-31: 44 vulns pushed, 341 vulns updated
2010-04-01: 63 vulns pushed, 397 vulns updated
Yes, we missed a day on the 23rd, but there’s a good excuse there. It was the following Tuesday after St. Patrick’s Day, which is usually around the time my hangover wears off and I realized that food and sleep are “good things”, so I took a day off. I think. If you have any evidence that I was conscious on March 23, mail me. Just curious.
Anyway, there you go. Over the course of the challenge, we promoted 2,060 new vulnerabilities into OSVDB, and as promised, I’ll be donating $1,030.00 to the Open Security Foundation. Extra special thanks go to all of the moderators and manglers who made it happen; you have no idea how much time and effort they all spent to get these vulnerabilities into the database. Now that the challenge is over, anybody out there who would like to match the challenge, even on a fractional basis (such as 25% of the amount donated), please contact us here and we’ll provide details.
Back in early January, I issued a challenge to donate to OSF’s Winter Fundraiser for every new vulnerability pushed into OSVDB. Two of the three months have come and gone, and even though January was a little more productive than February in terms of new vulnerabilities, the moderation team is still making good progress:
2010-02-01: 13 vulns pushed, 133 vulns updated
2010-02-02: 31 vulns pushed, 79 vulns updated
2010-02-03: 25 vulns pushed, 145 vulns updated
2010-02-04: 21 vulns pushed, 31 vulns updated
2010-02-05: 25 vulns pushed, 153 vulns updated
2010-02-06: 8 vulns pushed, 76 vulns updated
2010-02-07: 3 vulns pushed, 278 vulns updated
2010-02-08: 27 vulns pushed, 64 vulns updated
2010-02-09: 47 vulns pushed, 159 vulns updated
2010-02-10: 37 vulns pushed, 160 vulns updated
2010-02-11: 16 vulns pushed, 59 vulns updated
2010-02-12: 27 vulns pushed, 128 vulns updated
2010-02-13: 10 vulns pushed, 51 vulns updated
2010-02-14: 4 vulns pushed, 112 vulns updated
2010-02-15: 12 vulns pushed, 81 vulns updated
2010-02-16: 23 vulns pushed, 181 vulns updated
2010-02-17: 28 vulns pushed, 235 vulns updated
2010-02-18: 25 vulns pushed, 119 vulns updated
2010-02-19: 43 vulns pushed, 261 vulns updated
2010-02-20: 11 vulns pushed, 126 vulns updated
2010-02-21: 2 vulns pushed, 34 vulns updated
2010-02-22: 3 vulns pushed, 64 vulns updated
2010-02-23: 41 vulns pushed, 221 vulns updated
2010-02-24: 37 vulns pushed, 112 vulns updated
2010-02-25: 15 vulns pushed, 138 vulns updated
2010-02-26: 17 vulns pushed, 146 vulns updated
2010-02-27: 9 vulns pushed, 17 vulns updated
2010-02-28: 8 vulns pushed, 24 vulns updated
With 568 new vulnerabilities pushed in February, we’re now up to 1,223 new entries for 2010; personally, I’d like to see that number hit at least 2,000 by the end of March (3,000 may be out of reach, but never say never), but that will depend on the time and efforts of our moderation team and the amount of vulnerabilities uncovered by our multiple reference sources. Please remember that I will donate $0.50 to OSF for every new vulnerability pushed into the database through April 1 (and no, there will not be an April Fools announcement saying that the challenge has been called off), and we’re hoping to obtain some matching offers to help offset the costs of maintaining the database. A special “thank you” goes to all parties who have offered to match the challenge so far, and we hope others who find OSVDB to be a valuable resource can jump in and help us out as well.
31 more days for the challenge… and away… we… go.
Well, it’s been almost a month since we issued our original challenge for the “OSVDB Winter 2010 Fundraising Goal”. As mentioned in our initial post, we’re pretty transparent about how much work we do on a daily/weekly/monthly basis. Thanks to Twitter, pico, and my /home/lyger/wtf-ever folder, we present January’s results:
2010-01-01: 23 vulns pushed, 56 vulns updated
2010-01-02: 21 vulns pushed, 194 vulns updated
2010-01-03: 11 vulns pushed, 143 vulns updated
2010-01-04: 25 vulns pushed, 104 vulns updated
2010-01-05: 50 vulns pushed, 184 vulns updated
2010-01-06: 13 vulns pushed, 94 vulns updated
2010-01-07: 15 vulns pushed, 78 vulns updated
2010-01-08: 33 vulns pushed, 162 vulns updated
2010-01-09: 1 vulns pushed, 127 vulns updated
2010-01-10: 17 vulns pushed, 208 vulns updated
2010-01-11: 30 vulns pushed, 325 vulns updated
2010-01-12: 32 vulns pushed, 385 vulns updated
2010-01-13: 21 vulns pushed, 119 vulns updated
2010-01-14: 18 vulns pushed, 79 vulns updated
2010-01-15: 26 vulns pushed, 199 vulns updated
2010-01-16: 65 vulns pushed, 102 vulns updated
2010-01-17: 15 vulns pushed, 75 vulns updated
2010-01-18: 21 vulns pushed, 130 vulns updated
2010-01-19: 20 vulns pushed, 48 vulns updated
2010-01-20: 22 vulns pushed, 142 vulns updated
2010-01-21: 18 vulns pushed, 83 vulns updated
2010-01-22: 16 vulns pushed, 86 vulns updated
2010-01-23: 16 vulns pushed, 27 vulns updated
2010-01-24: 6 vulns pushed, 30 vulns updated
2010-01-25: 25 vulns pushed, 114 vulns updated
2010-01-26: 8 vulns pushed, 70 vulns updated
2010-01-27: 16 vulns pushed, 90 vulns updated
2010-01-28: 26 vulns pushed, 87 vulns updated
2010-01-29: 20 vulns pushed, 28 vulns updated
2010-01-30: 14 vulns pushed, 52 vulns updated
2010-01-31: 11 vulns pushed, 40 vulns updated
As of early morning February 1, we have pushed 655 new vulnerabilities into the database since the beginning of 2010. Please take a moment to look at the dates listed above; if you find a day missing from January, please let us know. Yes, we laid off on the 9th (Jericho made the save with OSVDB 61571 : EcShop /admin/integrate.php Multiple Parameter Arbitrary Command Execution), but the honest fact is that we generally work on OSVDB *every day* in some form. Some days are slower than others, sure… we still have families, friends, and other hobbies (believe it or not). Actually, the number of OSVDB moderators who own a Wii with the Fit Plus package is scary, but I digress.
So, about the challenge we presented… I’m still willing to put up $0.50 HARD U.S. DOLLARS for every new vulnerability we push from January 1, 2010 through April 1, 2010. I pushed it through April 1 and not just March 31 because a) April 1 is a much cooler day to end a contest, 2) February 29 is a special day and should never be left out of any year, so an extra day was warranted, and d) that’s the period that Dave set up the end of the fundraising goal for, and we try to keep him happy so things don’t randomly 500 when we do something like enter weird support tickets..
Any company or person who still wants to match my offer, please feel free to do so. Even though we’re only at about 2/3 of our usual push rate, we’re not intentionally laying back to keep the new vulnerability count lower. Coming off a holiday season takes time to get back in the groove, not only for us but our reference providers as well. Please mail us at our moderators@ address if you want to contribute.
OSVDB has just announced its Winter 2010 Fundraising Goal, which currently hopes to raise $9,000 before April 1, 2010. Looking back over the last couple of years of advances in the project, it’s easy to see not only how the project has evolved, but also how operational costs have increased to cover software development, content development, server hosting costs, and other assorted expenses to help keep OSVDB interesting, timely, and functional.
On an average, OSVDB has promoted 10,000 to 12,000 vulnerabilites per year for the last the last few years. Breaking that down to about 1,000 per month, the vulnerabilities in the database are gathered from a variety of sources, such as CVE, Secunia and various vendor changelogs and advisories. Keeping up a pace of about 1,000 newly listed vulerabilities per month hasn’t always been easy… but it’s about to get interesting.
I recently resigned my position as Chief Communications Officer with Open Security Foundation to focus more on the “content” aspect of OSVDB and DataLossDB. The extra time gained from giving up administrative duties will hopefully help the sites keep content fresh and accurate. Jericho, CJI, and I are going to keep working on new vulnerabilities as we can and keep the ball rolling.
With that said, I’m issuing a challenge: For every new vulnerability issued an OSVDB ID from January 1, 2010 through April 1, 2010, I will donate $0.50 (fiddy cents) of my own money to the OSVDB fundraiser. I challenge anyone who feels that OSVDB is a valuable resource to the security community to match my donation.
To make a few points clear:
- I am no longer an OSF officer. My donation comes out of my own pocket, not the OSF coffers, and I will accept no compensation from OSF for this offer. If I have to sell a kidney, I hear you only need one anyway.
- Since Jericho, CJI, and I are the ones who generally push new vulnerabilities to “live” status, there will be no slacking to save my bank account. If anything, I’ll be more motivated to push the potential donations higher and they’ll be motivated to watch me suffer on April 2. That’s how we roll.
- At an average of 1,000 vulnerabilities a month, over three months I expect to donate $1,500. It may be less, it may be more. There will be a maximum cap of $2,500 donated by myself and anyone who matches it. If we can push 5,000 vulns in three months, something is either very wrong or very great. YMMV.
- If five other people and/or groups take me up on the challenge and we meet our average, OSF will meet its goal. We still hope everyone else will contribute not only time but *effort* to help the project.
- This is not a gimmick. It’s not smoke and mirrors. You can see what OSVDB pushes on a daily basis on our Twitter page and on our contributors page. We will push all legitimate vulnerabilities just as we have been doing for years. If we’re slow for a few days, don’t worry. We’ll catch up.
So, that’s the challenge. If anyone wants to play and match my offer, please contact us at moderators[at]osvdb.org. I’m going back to work now.