Wikipedia

Open Source Vulnerability Database: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
Reason end of project
Jericho347 (talk | contribs)
291 edits
extensive additions and clarifications, added citations, more people involved, better explanation of 'process', and more
Line 5:
}}
 
The '''Open Sourced Vulnerability Database''' ('''OSVDB''') was an independent and open-sourced [[vulnerability database]]. The goal of the project was to provide accurate, detailed, current, and unbiased technical information on [[Information security|security]] vulnerabilities.<ref>{{Cite web|last=Rosencrance|first=Linda|date=2004-04-16|title=Brief: Vulnerability database goes live|url=https://www.computerworld.com/article/2563666/brief--vulnerability-database-goes-live.html|access-date=2020-08-15|website=Computerworld|language=en}}</ref> The project promoted greater and more open collaboration between companies and individuals. The database's motto was "Everything is Vulnerable"<ref>{{cite web |title=Biased software vulnerability stats praising Microsoft were 101% misleading |url=https://www.csoonline.com/article/2226625/biased-software-vulnerability-stats-praising-microsoft-were-101--misleading.html |accessdate=20 May 2020}}</ref>.
 
Its goal was to provide accurate, unbiased information about security vulnerabilities in computerized equipment. The core of OSVDB was a relational database which tied various information about security vulnerabilities into a common, cross-referenced [[open security]] data source. As of December 2013, the database cataloged over 100,000 vulnerabilities.<ref>{{cite web |url=https://blog.osvdb.org/2014/01/20/we-hit-the-100000-mark/ |title=We hit the 100,000 mark… |date=20 January 2014 |access-date=22 January 2020}}</ref> While the database was maintained by a 501(c)(3) non-profit public organization and volunteers, the data was prohibited for commercial use without a license. Despite that, many large commercial companies used the data in violation of the license without contributing employee volunteer time or financial compensation.<ref>{{Cite web|title=McAfee accused of McSlurping Open Source Vulnerability Database|url=https://www.theregister.com/2014/05/08/whats_copyright_mcafee_mcslurps_vuln_database/|access-date=2020-08-15|website=www.theregister.com|language=en}}</ref>
 
==History==
The project was started in August 2002 at the [[Black Hat Briefings|Blackhat]] and [[DEF CON]] Conferences by several industry notables (including [[H. D. Moore]], rain.forest.puppy, and others). Under mostly-new management, the database officially launched to the public on March 31, 2004.<ref>{{cite news |url=https://www.networkworld.com/article/3053613/open-source-vulnerabilities-database-shuts-down.html |title=Open-source vulnerabilities database shuts down |first=Jon |last=Gold |work=Network World |date=7 April 2016 |access-date=22 January 2020}}</ref> The original implementation was written in PHP by Forrest Rae (FBR). Later, the entire site was re-written in Ruby on Rails by David Shettler.
 
The [[Open Security Foundation]] (OSF) was created to ensure the project's continuing support. BrianJake MartinKouns (Zel), Chris Sullo, Kelly Todd (AKA JerichoLyger), David Shettler (AKA D2D), and JakeBrian KounsMartin (AKA Jericho) were project leaders for the OSVDB project, and currently holdheld leadership roles in the OSF.<ref>{{cite webat |url=https://www.riskbasedsecurity.com/leadership/various |title=Leadership |work=Risk Based Security |access-date=22 January 2020}}</ref>times.
 
On 5 April 2016, the database was shut down, wherewhile the blog was initially continued by Brian Martin.<ref>{{cite web |url=https://blog.osvdb.org/2016/04/05/osvdb-fin/ |title=OSVDB: Fin |date=5 April 2016 |access-date=22 January 2020 |archive-url=https://web.archive.org/web/20160528152631/https://blog.osvdb.org/2016/04/05/osvdb-fin/ |archive-date=28 May 2016 |url-status=dead }}</ref> The reason for the shut down was the ongoing commercial but uncompensated use by security companies.<ref>{{citeCite web|last=Kovacs|first=Eduard|title=McAfee Issues Response to OSVDB Accusations Regarding Data Scraping|url=https://resourcesnews.whitesourcesoftwaresoftpedia.com/blog-whitesourcenews/openMcAfee-sourceIssues-vulnerabilityResponse-to-databases/ |title=OSVDB/VulnDB Open Source Vulnerability Database -Accusations-Regarding-Data-Scraping-441323.shtml|access-date=5 June 2020-08-15|website=softpedia|language=english}}</ref>
 
As of January 2012, vulnerability entry was performed by full-time employees of Risk Based Security <ref>{{Cite web|title=Homepage|url=https://www.riskbasedsecurity.com/|access-date=2020-08-15|website=RBS|language=en-US}}</ref>, who provided the personnel to do the work in order to give back to the OSFcommunity. Every new entry included a full title, disclosure timeline, description, solution (if known), classification datametadata, references, products, and researcher who discovered the vulnerability (creditee).
==Process==
Originally, vulnerability reports, advisories, and exploits posted in various security lists entered the database as a new entry. The new entry contained only a title and links to entries of the same vulnerability in other security lists. However, at this stage the page for the new entry didn't contain any detailed description of the vulnerability. After the new entries were thoroughly scrutinized, analyzed and refined, descriptions of the vulnerability, its solutions and test notes were added. Then these details were reviewed by other members of '''OSVDB''', further refined if necessary, and then made stable. Once it was stable, the detailed information appeared on the page for the entry.
 
==Process==
As of January 2012, vulnerability entry was performed by full-time employees of the OSF. Every new entry included a title, description, solution (if known), classification data, references, products, and creditee.
Originally, vulnerability disclosures posted in various security lists and web sites were entered into the database as a new entry in the New Data Mangler (NDM) queue. The new entry contained only a title and links to the disclosure. At that stage the page for the new entry didn't contain any detailed description of the vulnerability or any associated metadata. As time permitted, new entries were analyzed and refined, by adding a description of the vulnerability as well as a solution if available. This general activity was called "data mangling" and someone who performed this task a "mangler". Mangling was done by core or casual volunteers. Details submitted by volunteers were reviewed by the core volunteers, called "moderators", further refining the entry or rejecting the volunteer changes if necessary. New information added to an entry that was approved was then available to anyone browsing the site.
 
==Contributors==
Some of the people that volunteered and maintained '''OSVDB''':
Some enthusiastic hackers are volunteering to maintain '''OSVDB'''. Some of the active members are as follows:
 
* BrianJake MartinKouns (COOOfficer of OSF, Moderator)
* Jake[[Chris KounsSullo]] (CEOOfficer of OSF, Moderator)
* Brian Martin (Officer of OSF, Moderator)
* Kelly Todd (Officer of OSF, Moderator)
* David Shettler (Officer of OSF, Developer)
* Forrest Rae (Developer)
 
Other volunteers who have helped in the past include:
 
* [[Chris Sullo]] (Moderator)
* Steve Tornio (Moderator)
* Alexander Koren (Mangler)
* Travis Schack (Mangler)
* Susam Pal (Mangler)
* Christian Seifert (Mangler)
* Zain Memon (Codebase)
 
== References ==
Retrieved from "https://en.wikipedia.org/wiki/Open_Source_Vulnerability_Database"