[VIM] Secunia has now put ALL vulnerability info behind login?

Wed Apr 30 18:56:33 CDT 2014

On Wed, 30 Apr 2014, Christey, Steven M. wrote:

: SecurityFocus, OSVDB, and now Secunia have all restricted access in one 
: form or another.  While I recognize there are numerous reasons for doing 
: so, hopefully this trend won't continue, and hopefully we VDB 
: specialists can figure out the best model(s).

This is a pretty gross mischaracterization in the context you put it.

SecurityFocus has had very little info available on their public side 
(e.g. they rarely show provenance, aren't mapped fully to CVE, use overly 
generic descriptions etc). Their commercial offering has beefier 
descriptions but largely generic templates, typically shows provenance 
(but not always), etc.

Secunia has removed almost all of their information as of a few days ago.

Compared to OSVDB, who has only restricted access to some dates, tech 
notes, and testing notes... leaving our entries 80% or more open, and 
always showing provenance (which may change, due to continued abuse of our 
resources by gov, mil, com, international, etc).

Comparing OSVDB to those two in that way, in my opinion, is wrong. If and 
when we close up more, then a comparison is more likely in order. And when 
that happens, know that it isn't because we want it. We'd rather be able 
to stay open to support the community, but there are an abundance of 
unethical companies that will go to great lengths not to license the data.

--

As to the 'why', we all know basically what prompts it. What amuses me is 
that BID started to use us heavily for a few weeks until we made changes 
to prevent scraping, then removed the 'last 10' on the front page. After 
that they quickly switched to using Secunia heavily. Even two days after 
Secunia closed off most information, BID is *still* using them heavily. We 
can see this very clearly. As an example, today there were three separate 
cases where Secunia released an advisory on an issue older than 10 days. 
Less than 12 hours later, BID released an advisory on the exact same 
issue. The odds of both of them finding those three very different vulns 
on the same day, as many as two weeks after disclosure, are slim. (This is 
the value of us trying to maintain a 100% cross-reference mapping to as 
many databases as we can. =)

What used to be more open is now a matter of competitive intel. Again, 
this is my opinion, but watching Secunia and BID fight to use other VDBs 
and *still* remain so woefully behind is amusing, if not a bit pathetic.

Finally, remember that CVE is a "specialty database" (only term I can use 
that you agree with =) that gets government funding. The others are 
commercial models and that is how data aggregation is funded. You can give 
the pouty eyes and 'woe is us' but quite simply, we all have to figure out 
ways to make our databases happen.

: Scott and Ken - not to put you *too* much on the spot, but since your 
: VDBs are closely attached to your products, I'm wondering if you have a 
: different business model and less of an existential threat than the 
: "vuln intelligence" VDBs do?

Careful with those air quotes. You can argue all day long, but more 
companies use CVE for vuln intelligence than OSVDB, Secunia, and BID 
combined probably. The number of times we convert customers that were 
using CVE as their primary intelligence feed is more than any 
other source.

.b