New vulnerability database offers free security data
Connecting state and local government leaders
An open-source project to catalog and describe IT security vulnerabilities has opened its Web-based database to the public.<br>
An open-source project to catalog and describe IT security vulnerabilities has opened its Web-based database to the public.
The Open Source Vulnerability Database is available free at www.osvdb.org, and data may be used by individuals and companies subject to minimal licensing requirements.
Although the database itself is an open-source project, it lists vulnerabilities for all types of software, proprietary as well as open-source, said Jake Kouns, chief moderator of the OSVDB project team.
The project began in 2002, and its Web site went online March 31. It contains 1,800 verified entries, with another 2,700 undergoing evaluation.
'There is quite a bit of work to be done,' said Kouns, whose day job is network security manager for a large financial company. 'There are still another 2,000 to 3,000 that are not in the database. We fully recognize that the content needs to be updated.'
That work is progressing as fast as the four volunteer leaders and 20 to 30 unpaid contributors who gather and evaluate the data can do it.
OSVDB complements the work of other projects and databases, such as the Common Vulnerabilities and Exposures lexicon. CVE, developed and hosted by Mitre Corp. of Bedford, Mass., at cve.mitre.org, is a dictionary of vulnerabilities rather than a database. Its goal is to provide the IT security community with a common language for discussing and responding to vulnerabilities.
There are other vulnerability databases that rely on the CVE, which Kouns says is an 'incredible resource. But CVE is conservative in some ways.' Kouns hopes OSVDB eventually will be more inclusive than other databases.
OSVDB does not use CVE taxonomy, and its identifiers for unique vulnerabilities apply only within its own database.
A selling point for the new database is that it is free. Under its open-source licensing agreement, even for-profit companies are free to use the data as long as OSVDB is credited.
'We don't want anybody rebranding our hard work,' Kouns said.
The downside of the project is that it is operating on a shoestring, with few resources. The database Web site is hosted by Digital Defense Inc. of San Antonio. As of April 2, 'it is being crushed,' by traffic, Kouns said. 'We are trying to find some funding to help this kind of thing.'
Kouns said the project is working to get nonprofit status so it can solicit donations and apply for grants to continue its work.