At the Black Hat and Defcon security conferences, security community volunteers announce two important new services for the security community and a new partnership for community-based security information sources. The first is the VulnDiscuss mailing list, a new full disclosure forum that compliments the existing VulnWatch accouncement list. VulnDiscuss is meant to foster the discussion of security issues and vulnerabilities by providing a forum for recent security announcements to be discussed. VulnDiscuss will be under moderator control to keep it topical, and access is open to anyone who wishes to participate or observe.
The second is the Open Source Vulnerability Database (OSVDB). OSVDB – A database built and maintained for the community, by the community. The goal of the Open Source Vulnerability Database is to provide accurate, technical, up to date, unbiased, and reliable vulnerability information to the community for free.
The redundant time, effort and money that individual people and companies put into maintaining proprietary databases will be cut by exorbitant amounts by participating in a community that is working toward a common goal. The database will have no commercial licensing restrictions, allowing corporations, businesses, and individuals alike to use this information in any way they wish without having to pay a dime.
The OSVDB project will be debuting with thousands of vulnerability entries provided by databases donated by Digital Defense, Inc., and SensePost. This will provide a strong base to start from, allowing OSVDB to immediately track new vulnerabilities and provide quality data from the start. The continued help of Farm9, NMRC, Neohapsis, Packetstorm, VulnWatch, and many other industry experts is invaluable to this project.
And finally the third is a formal partnership between multiple community-based security information sources: PacketStorm, Open Source Vulnerability Database, Alldas.org, and VulnWatch. The partnership will come together under the Internetworked Security Information Services initiative (ISISi) title, which will remain a non-profit, vendor-neutral entity run by volunteers from the security community. All involved projects share the common goal of providing accessible information security resources useful for researchers, IT Professionals, and the general public, while adhering to a not-for-profit operation model. The initiative allows the projects to share resources and volunteers, eliminate redundancy, and provide a single organized access point to all information which is currently dispersed amongst the individual projects. Current ISISi information is available at www.isisi.org.
“[ISISi] allows us to pool our resources and increase the effectiveness of our respective initiatives while giving information security professionals co-ordinated, higher quality, open source security information than was possible previously.” — Emerson Tan, Spokesman and Ideologue, Packetstormsecurity.org.
“Each of the projects involved in this initiative have committed to remaining independent and not-for-profit, this is a key requirement for participation as we want this to be a community supported effort, for the community by the community.” — Steve Manzuik, founder and co-moderator of VulnWatch.
The individual projects can be contacted at the addresses below.
- VulnWatch. Full disclosure security forums and resources. Press contact: Steve Manzuik, firstname.lastname@example.org.
- Alldas.org. The most complete and up to date mirror of web site defacements that includes statistics and trend analysis. Press contact: email@example.com.
- PacketStorm. Repository of vulnerability and exploit information. Press contact: Emerson Tan, firstname.lastname@example.org.
- OSVDB.org. A database built and maintained for the community, by the community. Press contact: email@example.com.