[ISN] Volunteer Security Pros Launch Free Vulnerability Database

InfoSec News isn at c4i.org
Tue Apr 6 10:48:36 EDT 2004 

http://www.eweek.com/article2/0,1759,1561608,00.asp

By Dennis Fisher 
April 2, 2004   
 
A group of volunteer security professionals has compiled what is 
likely one of the larger freely accessible vulnerability databases on 
the Internet. The OSVDB (Open Source Vulnerability Database) is meant 
to serve as a central collection point for information on any and all 
security vulnerabilities. 

Despite what you might assume from the name, the project's creators 
are not just interested in collecting data on flaws in open-source 
software. Instead, they're collecting information on vulnerabilities 
from a wide variety of sources that they then distribute freely, under 
an open-source license.

The project, which went live on Wednesday, has been in the works since 
2002. The team has spent most of its time since then gathering and 
categorizing vulnerability data. Most of the records in the database 
come from submissions to myriad security-related mailing lists. 

OSVDB is run by a small group of security professionals who have 
worked on the project on their own time. Jake Kouns, chief moderator 
of the team, said the project so far has catalogued nearly 1,900 
vulnerabilities, with another 2,700 or so submissions waiting to be 
confirmed and edited. 

Once a new vulnerability is found, one of more than two dozen 
volunteer "data manglers" is assigned to confirm its veracity and get 
the information in shape for inclusion in the database. The flaw is 
then given a unique identifier and slated for database inclusion.

Kouns said that the group is hoping to begin comparing its database 
with other, similar stores, including the CVE (Common Vulnerabilities 
and Exposures) project maintained by The Mitre Corp., so that it can 
reference CVE numbers wherever they're applicable. The CVE project 
assigns unique numbers to each new vulnerability and publishes a 
one-line description of the problem.

Currently, the OSVDB supports three open-source security products: the 
Snort intrusion detection system, the Nessus network scanner and the 
Nikto Web-server scanner.

More information about the ISN mailing list