Open Source Vulnerability Database

Last updated September 24, 2024

The Open Sourced Vulnerability Database (OSVDB) was an independent and open-sourced vulnerability database. The goal of the project was to provide accurate, detailed, current, and unbiased technical information on security vulnerabilities.^[1] The project promoted greater and more open collaboration between companies and individuals. The database's motto was "Everything is Vulnerable".^[2]

The core of OSVDB was a relational database which tied various information about security vulnerabilities into a common, cross-referenced open security data source. As of December 2013, the database cataloged over 100,000 vulnerabilities.^[3] While the database was maintained by a 501(c)(3) non-profit public organization and volunteers, the data was prohibited for commercial use without a license. Despite that, many large commercial companies used the data in violation of the license without contributing employee volunteer time or financial compensation.^[4]

History

The project was started in August 2002 at the Blackhat and DEF CON Conferences by several industry notables (including H. D. Moore, rain.forest.puppy, and others). Under mostly-new management, the database officially launched to the public on March 31, 2004.^[5] The original implementation was written in PHP by Forrest Rae (FBR). Later, the entire site was re-written in Ruby on Rails by David Shettler.

The Open Security Foundation (OSF) was created to ensure the project's continuing support. Jake Kouns (Zel), Chris Sullo, Kelly Todd (AKA Lyger), David Shettler (AKA D2D), and Brian Martin (AKA Jericho) were project leaders for the OSVDB project, and held leadership roles in the OSF at various times.

On 5 April 2016, the database was shut down, while the blog was initially continued by Brian Martin.^[6] The reason for the shut down was the ongoing commercial but uncompensated use by security companies.^[7]

As of January 2012, vulnerability entry was performed by full-time employees of Risk Based Security,^[8] who provided the personnel to do the work in order to give back to the community. Every new entry included a full title, disclosure timeline, description, solution (if known), classification metadata, references, products, and researcher who discovered the vulnerability (creditee).

Process

Originally, vulnerability disclosures posted in various security lists and web sites were entered into the database as a new entry in the New Data Mangler (NDM) queue. The new entry contained only a title and links to the disclosure. At that stage the page for the new entry didn't contain any detailed description of the vulnerability or any associated metadata. As time permitted, new entries were analyzed and refined, by adding a description of the vulnerability as well as a solution if available. This general activity was called "data mangling" and someone who performed this task a "mangler". Mangling was done by core or casual volunteers. Details submitted by volunteers were reviewed by the core volunteers, called "moderators", further refining the entry or rejecting the volunteer changes if necessary. New information added to an entry that was approved was then available to anyone browsing the site.

Contributors

Some of the key people that volunteered and maintained OSVDB:

Jake Kouns (Officer of OSF, Moderator)
Brian Martin a.k.a. Jericho (Officer of OSF, Moderator)
Kelly Todd a.k.a. Lyger (Officer of OSF, Moderator)
David Shettler (Officer of OSF, Developer)
Chris Sullo (Moderator)
Daniel Moeller (Moderator)
Forrest Rae (Developer)

Other volunteers who have helped in the past include:^[9]

Steve Tornio (Moderator)
Zach Shue (Moderator)
Alexander Koren a.k.a ph0enix (Mangler)
Carsten Eiram a.k.a. Chep (Moderator)
Marlowe (Mangler)
Travis Schack (Mangler)
Susam Pal (Mangler)
Christian Seifert (Mangler)
Zain Memon

Related Research Articles

MusicBrainz is a MetaBrainz project that aims to create a collaborative music database that is similar to the freedb project. MusicBrainz was founded in response to the restrictions placed on the Compact Disc Database (CDDB), a database for software applications to look up audio CD information on the Internet. MusicBrainz has expanded its goals to reach beyond a CD metadata storehouse to become a structured online database for music.

McAfee Corp., formerly known as McAfee Associates, Inc. from 1987 to 1997 and 2004 to 2014, Network Associates Inc. from 1997 to 2004, and Intel Security Group from 2014 to 2017, is an American global computer security software company headquartered in San Jose, California.

A patch is data that is intended to be used to modify an existing software resource such as a program or a file, often to fix bugs and security vulnerabilities. A patch may be created to improve functionality, usability, or performance. A patch is typically provided by a vendor for updating the software that they provide.

Vulnerabilities are flaws in a computer system that weaken the overall security of the system.

The Common Vulnerabilities and Exposures (CVE) system provides a reference method for publicly known information-security vulnerabilities and exposures. The United States' National Cybersecurity FFRDC, operated by The MITRE Corporation, maintains the system, with funding from the US National Cyber Security Division of the US Department of Homeland Security. The system was officially launched for the public in September 1999.

Database security concerns the use of a broad range of information security controls to protect databases against compromises of their confidentiality, integrity and availability. It involves various types or categories of controls, such as technical, procedural or administrative, and physical.

A document-oriented database, or document store, is a computer program and data storage system designed for storing, retrieving and managing document-oriented information, also known as semi-structured data.

Open-source software security is the measure of assurance or guarantee in the freedom from danger and risk inherent to an open-source software system.

<span class="mw-page-title-main">Metadata</span> Data

Metadata is "data that provides information about other data", but not the content of the data itself, such as the text of a message or the image itself. There are many distinct types of metadata, including:

Bugtraq was an electronic mailing list dedicated to issues about computer security. On-topic issues are new discussions about vulnerabilities, vendor security-related announcements, methods of exploitation, and how to fix them. It was a high-volume mailing list, with as many as 776 posts in a month, and almost all new security vulnerabilities were discussed on the list in its early days. The forum provided a vehicle for anyone to disclose and discuss computer vulnerabilities, including security researchers and product vendors. While the service has not been officially terminated, and its archives are still publicly accessible, no new posts have been made since January 2021.

Freebase was a large collaborative knowledge base consisting of data composed mainly by its community members. It was an online collection of structured data harvested from many sources, including individual, user-submitted wiki contributions. Freebase aimed to create a global resource that allowed people to access common information more effectively. It was developed by the American software company Metaweb and run publicly beginning in March 2007. Metaweb was acquired by Google in a private sale announced on 16 July 2010. Google's Knowledge Graph is powered in part by Freebase.

The Open Security Foundation (OSF) was a 501(c)(3) non-profit public organization "founded and operated by information security enthusiasts". The OSF managed several projects including the Open Source Vulnerability Database (OSVDB), Data Loss Database (DatalossDB), and Cloutage.

Trellix is a privately held cybersecurity company that was founded in 2022. It has been involved in the detection and prevention of major cybersecurity attacks. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks.

Operation Aurora was a series of cyber attacks performed by advanced persistent threats such as the Elderwood Group based in Beijing, China, with associations with the People's Liberation Army. First disclosed publicly by Google on January 12, 2010, by a weblog post, the attacks began in mid-2009 and continued through December 2009.

A vulnerability database (VDB) is a platform aimed at collecting, maintaining, and disseminating information about discovered computer security vulnerabilities. The database will customarily describe the identified vulnerability, assess the potential impact on affected systems, and any workarounds or updates to mitigate the issue. A VDB will assign a unique identifier to each vulnerability cataloged such as a number or alphanumeric designation. Information in the database can be made available via web pages, exports, or API. A VDB can provide the information for free, for pay, or a combination thereof.

A bug bounty program is a deal offered by many websites, organizations, and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities.

<span class="mw-page-title-main">Heartbleed</span> Security bug in OpenSSL

Heartbleed is a security bug in some outdated versions of the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed could be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It resulted from improper input validation in the implementation of the TLS heartbeat extension. Thus, the bug's name derived from heartbeat. The vulnerability was classified as a buffer over-read, a situation where more data can be read than should be allowed.

The Core Infrastructure Initiative (CII) was a project of the Linux Foundation to fund and support free and open-source software projects that are critical to the functioning of the Internet and other major information systems. The project was announced on 24 April 2014 in the wake of Heartbleed, a critical security bug in OpenSSL that is used on millions of websites.

The Open Semantic Framework (OSF) is an integrated software stack using semantic technologies for knowledge management. It has a layered architecture that combines existing open source software with additional open source components developed specifically to provide a complete Web application framework. OSF is made available under the Apache 2 license.

Log4Shell (CVE-2021-44228) is a zero-day vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution. The vulnerability had existed unnoticed since 2013 and was privately disclosed to the Apache Software Foundation, of which Log4j is a project, by Chen Zhaojun of Alibaba Cloud's security team on 24 November 2021. Before an official CVE identifier was made available on 10 December 2021, the vulnerability circulated with the name "Log4Shell", given by Free Wortley of the LunaSec team, which was initially used to track the issue online. Apache gave Log4Shell a CVSS severity rating of 10, the highest available score. The exploit was simple to execute and is estimated to have had the potential to affect hundreds of millions of devices.

References

↑ Rosencrance, Linda (16 April 2004). "Brief: Vulnerability database goes live". Computerworld. Retrieved 15 August 2020.
↑ "Biased software vulnerability stats praising Microsoft were 101% misleading" . Retrieved 20 May 2020.
↑ "We hit the 100,000 mark…". 20 January 2014. Retrieved 22 January 2020.
↑ "McAfee accused of McSlurping Open Source Vulnerability Database". www.theregister.com. Retrieved 15 August 2020.
↑ Gold, Jon (7 April 2016). "Open-source vulnerabilities database shuts down". Network World. Retrieved 22 January 2020.
↑ "OSVDB: Fin". 5 April 2016. Archived from the original on 28 May 2016. Retrieved 22 January 2020.
↑ Kovacs, Eduard. "McAfee Issues Response to OSVDB Accusations Regarding Data Scraping". softpedia. Retrieved 15 August 2020.
↑ "Homepage". RBS. Retrieved 15 August 2020.
↑ "OSVDB: Open Sourced Vulnerability Database". 2 May 2014. Archived from the original on 2 May 2014. Retrieved 6 August 2024.

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Rosencrance, Linda (16 April 2004). "Brief: Vulnerability database goes live". Computerworld. Retrieved 15 August 2020.

[2] "Biased software vulnerability stats praising Microsoft were 101% misleading" . Retrieved 20 May 2020.

[3] "We hit the 100,000 mark…". 20 January 2014. Retrieved 22 January 2020.

[4] "McAfee accused of McSlurping Open Source Vulnerability Database". www.theregister.com. Retrieved 15 August 2020.

[5] Gold, Jon (7 April 2016). "Open-source vulnerabilities database shuts down". Network World. Retrieved 22 January 2020.

[6] "OSVDB: Fin". 5 April 2016. Archived from the original on 28 May 2016. Retrieved 22 January 2020.

[7] Kovacs, Eduard. "McAfee Issues Response to OSVDB Accusations Regarding Data Scraping". softpedia. Retrieved 15 August 2020.

[8] "Homepage". RBS. Retrieved 15 August 2020.

[9] "OSVDB: Open Sourced Vulnerability Database". 2 May 2014. Archived from the original on 2 May 2014. Retrieved 6 August 2024.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]