Open Source Vulnerability Database

Last updated

The Open Sourced Vulnerability Database (OSVDB) was an independent and open-sourced vulnerability database. The goal of the project was to provide accurate, detailed, current, and unbiased technical information on security vulnerabilities. [1] The project promoted greater and more open collaboration between companies and individuals. The database's motto was "Everything is Vulnerable". [2]

Contents

The core of OSVDB was a relational database which tied various information about security vulnerabilities into a common, cross-referenced open security data source. As of December 2013, the database cataloged over 100,000 vulnerabilities. [3] While the database was maintained by a 501(c)(3) non-profit public organization and volunteers, the data was prohibited for commercial use without a license. Despite that, many large commercial companies used the data in violation of the license without contributing employee volunteer time or financial compensation. [4]

History

The project was started in August 2002 at the Blackhat and DEF CON Conferences by several industry notables (including H. D. Moore, rain.forest.puppy, and others). Under mostly-new management, the database officially launched to the public on March 31, 2004. [5] The original implementation was written in PHP by Forrest Rae (FBR). Later, the entire site was re-written in Ruby on Rails by David Shettler.

The Open Security Foundation (OSF) was created to ensure the project's continuing support. Jake Kouns (Zel), Chris Sullo, Kelly Todd (AKA Lyger), David Shettler (AKA D2D), and Brian Martin (AKA Jericho) were project leaders for the OSVDB project, and held leadership roles in the OSF at various times.

On 5 April 2016, the database was shut down, while the blog was initially continued by Brian Martin. [6] The reason for the shut down was the ongoing commercial but uncompensated use by security companies. [7]

As of January 2012, vulnerability entry was performed by full-time employees of Risk Based Security, [8] who provided the personnel to do the work in order to give back to the community. Every new entry included a full title, disclosure timeline, description, solution (if known), classification metadata, references, products, and researcher who discovered the vulnerability (creditee).

Process

Originally, vulnerability disclosures posted in various security lists and web sites were entered into the database as a new entry in the New Data Mangler (NDM) queue. The new entry contained only a title and links to the disclosure. At that stage the page for the new entry didn't contain any detailed description of the vulnerability or any associated metadata. As time permitted, new entries were analyzed and refined, by adding a description of the vulnerability as well as a solution if available. This general activity was called "data mangling" and someone who performed this task a "mangler". Mangling was done by core or casual volunteers. Details submitted by volunteers were reviewed by the core volunteers, called "moderators", further refining the entry or rejecting the volunteer changes if necessary. New information added to an entry that was approved was then available to anyone browsing the site.

Contributors

Some of the key people that volunteered and maintained OSVDB:

Other volunteers who have helped in the past include:

Related Research Articles

<span class="mw-page-title-main">MusicBrainz</span> Online music metadata database

MusicBrainz is a MetaBrainz project that aims to create a collaborative music database that is similar to the freedb project. MusicBrainz was founded in response to the restrictions placed on the Compact Disc Database (CDDB), a database for software applications to look up audio CD information on the Internet. MusicBrainz has expanded its goals to reach beyond a CD metadata storehouse to become a structured online database for music.

<span class="mw-page-title-main">McAfee</span> American global computer security software company

McAfee Corp., formerly known as McAfee Associates, Inc. from 1987 to 1997 and 2004 to 2014, Network Associates Inc. from 1997 to 2004, and Intel Security Group from 2014 to 2017, is an American global computer security software company headquartered in San Jose, California.

<span class="mw-page-title-main">Metasploit</span> Computer security testing tool

The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. It is owned by Boston, Massachusetts-based security company, Rapid7.

The Common Vulnerabilities and Exposures (CVE) system provides a reference method for publicly known information-security vulnerabilities and exposures. The United States' National Cybersecurity FFRDC, operated by The MITRE Corporation, maintains the system, with funding from the US National Cyber Security Division of the US Department of Homeland Security. The system was officially launched for the public in September 1999.

Form 8-K is a very broad form used to notify investors in United States public companies of specified events that may be important to shareholders or the United States Securities and Exchange Commission. This is one of the most common types of forms filed with the SEC. After a significant event like bankruptcy or departure of a CEO, a public company generally must file a Current Report on Form 8-K within four business days to provide an update to previously filed quarterly reports on Form 10-Q and/or Annual Reports on Form 10-K. Form 8-K is required to be filed by public companies with the SEC pursuant to the Securities Exchange Act of 1934, as amended.

Geospatial metadata is a type of metadata applicable to geographic data and information. Such objects may be stored in a geographic information system (GIS) or may simply be documents, data-sets, images or other objects, services, or related items that exist in some other native environment but whose features may be appropriate to describe in a (geographic) metadata catalog.

Open-source software security is the measure of assurance or guarantee in the freedom from danger and risk inherent to an open-source software system.

<span class="mw-page-title-main">Metadata</span> Data about data

Metadata is "data that provides information about other data", but not the content of the data itself, such as the text of a message or the image itself. There are many distinct types of metadata, including:

Bugtraq was an electronic mailing list dedicated to issues about computer security. On-topic issues are new discussions about vulnerabilities, vendor security-related announcements, methods of exploitation, and how to fix them. It was a high-volume mailing list, with as many as 776 posts in a month, and almost all new security vulnerabilities were discussed on the list in its early days. The forum provided a vehicle for anyone to disclose and discuss computer vulnerabilities, including security researchers and product vendors. While the service has not been officially terminated, and its archives are still publicly accessible, no new posts have been made since January 2021.

The Pwnie Awards recognize both excellence and incompetence in the field of information security. Winners are selected by a committee of security industry professionals from nominations collected from the information security community. Nominees are announced yearly at Summercon, and the awards themselves are presented at the Black Hat Security Conference.

The Open Security Foundation (OSF) was a 501(c)(3) non-profit public organization "founded and operated by information security enthusiasts". The OSF managed several projects including the Open Source Vulnerability Database (OSVDB), Data Loss Database (DatalossDB), and Cloutage.

Trellix is a privately held cybersecurity company that was founded in 2022. It has been involved in the detection and prevention of major cybersecurity attacks. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks.

Sentrigo was a privately held software company located in Santa Clara, California, USA, until its acquisition in April, 2011 by McAfee.

Operation Aurora was a series of cyber attacks performed by advanced persistent threats such as the Elderwood Group based in Beijing, China, with associations with the People's Liberation Army. First disclosed publicly by Google on January 12, 2010, by a weblog post, the attacks began in mid-2009 and continued through December 2009.

A vulnerability database (VDB) is a platform aimed at collecting, maintaining, and disseminating information about discovered computer security vulnerabilities. The database will customarily describe the identified vulnerability, assess the potential impact on affected systems, and any workarounds or updates to mitigate the issue. A VDB will assign a unique identifier to each vulnerability cataloged such as a number or alphanumeric designation. Information in the database can be made available via web pages, exports, or API. A VDB can provide the information for free, for pay, or a combination thereof.

A bug bounty program is a deal offered by many websites, organizations, and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities.

<span class="mw-page-title-main">Heartbleed</span> Security bug in OpenSSL

Heartbleed is a security bug in some outdated versions of the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed could be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It resulted from improper input validation in the implementation of the TLS heartbeat extension. Thus, the bug's name derived from heartbeat. The vulnerability was classified as a buffer over-read, a situation where more data can be read than should be allowed.

The Core Infrastructure Initiative (CII) was a project of the Linux Foundation to fund and support free and open-source software projects that are critical to the functioning of the Internet and other major information systems. The project was announced on 24 April 2014 in the wake of Heartbleed, a critical security bug in OpenSSL that is used on millions of websites.

The Open Semantic Framework (OSF) is an integrated software stack using semantic technologies for knowledge management. It has a layered architecture that combines existing open source software with additional open source components developed specifically to provide a complete Web application framework. OSF is made available under the Apache 2 license.

Log4Shell (CVE-2021-44228) is a zero-day vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution. The vulnerability had existed unnoticed since 2013 and was privately disclosed to the Apache Software Foundation, of which Log4j is a project, by Chen Zhaojun of Alibaba Cloud's security team on 24 November 2021. Before an official CVE identifier was made available on 10 December 2021, the vulnerability circulated with the name "Log4Shell", given by Free Wortley of the LunaSec team, which was initially used to track the issue online. Apache gave Log4Shell a CVSS severity rating of 10, the highest available score. The exploit was simple to execute and is estimated to have had the potential to affect hundreds of millions of devices.

References

  1. Rosencrance, Linda (16 April 2004). "Brief: Vulnerability database goes live". Computerworld. Retrieved 15 August 2020.
  2. "Biased software vulnerability stats praising Microsoft were 101% misleading" . Retrieved 20 May 2020.
  3. "We hit the 100,000 mark…". 20 January 2014. Retrieved 22 January 2020.
  4. "McAfee accused of McSlurping Open Source Vulnerability Database". www.theregister.com. Retrieved 15 August 2020.
  5. Gold, Jon (7 April 2016). "Open-source vulnerabilities database shuts down". Network World. Retrieved 22 January 2020.
  6. "OSVDB: Fin". 5 April 2016. Archived from the original on 28 May 2016. Retrieved 22 January 2020.
  7. Kovacs, Eduard. "McAfee Issues Response to OSVDB Accusations Regarding Data Scraping". softpedia. Retrieved 15 August 2020.
  8. "Homepage". RBS. Retrieved 15 August 2020.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.