[ISN] Open Source Vulnerability Database Opens Vendor Dictionary

InfoSec News isn at c4i.org
Wed Sep 1 13:22:18 EDT 2004

Forwarded from: Jake <jkouns at opensecurityfoundation.org>

Open Source Vulnerability Database Opens Vendor Dictionary

The Open Source Vulnerability Database, a project to catalog and
describe the world's security vulnerabilities, has expanded its
offering and opened a vendor dictionary that serves as a centralized
resource for vendor contact information for public use on 31 August

The OSVDB vendor dictionary is a resource through which the security
community will be able to gather contact information for a desired
vendor.  The vendor dictionary is a list of vendors, indexed by name,
which may be freely searched and utilized by all who wish to find both
general and security contact information.  The service also provides a
way for vendors to keep their information current within the
dictionary.  With straightforward forms, OSVDB will be a concise and
central repository for up-to-date, accurate vendor contact
information-- and it's free.

"Vendors expect to be contacted when researchers find security holes--
no matter what." says Jake Kouns, project lead for OSVDB. "However,
many vendors do not provide easy to locate contact information on
their websites. This makes it challenging, time consuming and
sometimes impossible for security researchers to follow responsible
disclosure practices."

OSVDB aims to make it simple for contact information to be shared
between researchers and vendors.  The vendor dictionary is essentially
a giant phonebook of vendors with current contact information,
interfaced directly with the OSVDB database.  It is designed for
vendors, security professionals, and the security community alike.
Many security researchers that routinely practice ethical disclosure
find themselves unable to do so, due to the fact that the vendor
contact information required is sometimes too challenging to find.
Alexander Koren, an OSVDB volunteer from Germany, explains, "There
will no longer be a need to dig through web pages to hopefully find
all the necessary information anymore."  OSVDB realizes the necessity
for a current and free resource for this information, and has
responded by developing the dictionary to fill this gap.

Even though anyone can help maintain the dictionary, OSVDB calls for
all software and hardware vendors to visit the vendor dictionary and
ensure that their contact information is accurate and complete.  
OSVDB also urges vendors to reassess the means through which a
researcher may contact them with vulnerability research. While
populating the dictionary, it was noticed that many vendors utilize
web forms for a user to submit information, which is not always
convenient or the preferred contact medium.  OSVDB encourages vendors
to follow RFC 2142 (section 4) guidelines and have a specific security
email address available for use by researchers. This will facilitate
the ability for vulnerability researchers to communicate with vendors,
and to ensure vulnerability reports are not missed.

Brandon Shilling, a member of the OSVDB development team who worked
extensively on the vendor dictionary, says, "The function of the
dictionary is merely just a foundation for how OSVDB intends to
revolutionize the way vulnerabilities are disclosed to the vendor."
The OSVDB dictionary is the first phase for additional upcoming
services including assisting researchers with ethically disclosing
vulnerabilities, helping to verify vulnerabilities, and the OSVDB
vulnerability portal.

The OSVDB vendor dictionary can be found at www.OSVDB.org.


More Information:

Jake Kouns
Open Source Vulnerability Database Project
jkouns at osvdb.org

More information about the ISN mailing list