The OSVDB project was launched in 2002 following a realization in the security community that no independent, community-operated vulnerability database existed. There were, and still are, numerous vulnerability databases. Some of these databases are managed by private interests to meet their own requirements, while others contain a limited subset of vulnerabilities or have significant restrictions on their content. None are simultaneously comprehensive, open for free use, and answerable to the community. The OSVDB's organizers set out to implement a vulnerability database that meets all those requirements.
The OSVDB project has been successful in fulfilling its original objectives. The project concentrated at first on establishing a core group of project organizers, on creating the technical infrastructure to collect and validate vulnerability data, and on building a team of contributors to create the open-source vulnerability records. These goals have been met, and the OSVDB team is now planning its next stage of growth. After a significant period of development - in effect, an "alpha" release - it has been opened to the public as of 31 March 2004 at http://www.osvdb.org/.
A GROWING PROBLEM
According to CERT's statistics, the number of computer security vulnerabilities found each year has risen over two thousand percent since 1995. Tracking these vulnerabilities and their cures is critical for those who protect networked systems against accidental misuse and deliberate attack, from home users and small businesses to globe-spanning enterprises.
Annual vulnerability announcements number in the thousands, well beyond the capacity for human memory to manage. Well-organized databases, with verified contents and flexible search abilities, are required if these vulnerabilities are to be controlled by the security community. The OSVDB provides the necessary structure, technology, and content to support that community requirement for vulnerability management.
AN OPEN SOLUTION
The OSVDB's main goal is to be complete and to be without bias. It should serve as one-stop shopping for all vulnerability needs. Developers creating vulnerability-assessment tools, system administrators protecting servers and networks, business staff assessing risks and remedies, academic researchers documenting analyzing the past and future of network security: all expend effort to identify vulnerabilities, all work to document them consistently, all can benefit from a single, comprehensive source of vulnerability data. The OSVDB is this source, reducing duplication of effort while it promotes data consistency.
The OSVDB is unbiased and neutral in its practices for accepting, reviewing, and publishing vulnerabilities. Its open acceptance of community input and internal review processes ensure that the vulnerability database is not colored by vendor-related biases. OSVDB organizers believe that more than one vulnerability database is needed to meet the full variety of community requirements. While it references the other vulnerability databases, it develops its own database entries to ensure that there are no restrictions on distribution and re-use of the OSVDB vulnerability data: its contents are free of cost and free of restrictions on use.
Research and analysis of licensing alternatives for the OSVDB products and services are underway. The OSVDB project team expects to produce the final project license in the second quarter of 2004. In the meantime, a working-draft license is in force (see the OSVDB website at http://www.osvdb.org/license.php).
Formal non-profit standing
The OSVDB team is currently working to provide the required legal status by incorporating an organization under United States law. The organization, tentatively named the Open Security Foundation, will be a private not-for-profit foundation. Its mission is to make information-technology (IT) security information and services freely available to all who need it. The foundation's initial project will be the Open Source Vulnerability Database, but it will be capable of hosting additional security projects and will actively seek out suitable ones.
OSVDB ethical vulnerability disclosure
The OSVDB's policy on the release of vulnerability information will incorporate clear guidelines on the timing of notification to the product developer, and of notification to the open security community. The OSVDB's approach will support an ethical and predictable process for this release. The policy is expected to be published in the second quarter of 2004.
An open-source project succeeds or fails based on the support of its volunteer participants. The long-term viability of the OSVDB project depends on continuous success in recruiting new participants, and in recognizing the contributions of those who work within the project. Programs and initiatives to publicize the OSVDB's work and to recruit new participants will be pursued in the second quarter of 2004 and continuously after that.
Expansion of the vulnerability database
In its initial development phase, the OSVDB project created an online content-management system to add vulnerability records to the database. The system supports the initial research and creation of records, the review process, and incorporation of the finalized records into the public database. Throughout initial use and testing, the system has been improved continuously to streamline the needed tasks and to make it easier to perform the research and cross-referencing needed to complete a vulnerability record. This focus on ease of use will help contributors work efficiently and will speed the creation of vulnerability records, leading to the desired expansion of the vulnerability database.
Advanced vulnerability retrieval
The vulnerability database is currently available in its entirety from the OSVDB website. The OSVDB is developing tools to make it easy to search the vulnerability database on-line so that straightforward queries are easy to make. For those requiring a higher degree of automation in querying and retrieving vulnerabilities, an XML-formatted version of the database will be developed so that automated processes can query it remotely. The OSVDB system will also prototype automated posting of vulnerabilities through an RSS-like "push" mechanism. Subscribers will receiver each new vulnerability at the moment it is cleared into the database, and can choose to set customized filters to receive a subset of those records as needed. These new features are intended to be put in place over the second and third quarters of 2004.
Active integration with vulnerability tools
Tracking existing and new vulnerabilities is one of the toughest challenges for developers of security tools. OSVDB is working to streamline the process of identifying and setting priorities for the vulnerabilities it provides to tool developers like the Nessus, Snort, and Nikto projects. In brief, the OSVDB will assist vulnerability-tool developers to identify vulnerabilities that are not already represented in their products, and will provide a way to identify the high-priority vulnerabilities for immediate attention.
The OSVDB is relatively new in the arena of open-source projects. It was first conceived in the summer of 2002, and has already put in place much of the organization, technology, and process needed to meet its initial goals. Continuing to build on that foundation, however, will allow the OSVDB to become more useful and more central to the information-technology security community. The upcoming year promises not just incremental improvements to the OSVDB, but also innovations to the existing legal and organizational structure of the project, a focus on recruitment of project participants, and technical advances to make the project even more valuable to the security community. The OSVDB online system can be found at www.OSVDB.org.
Complete information on the OSVDB's aims and objectives can be found at: http://osvdb.org/documentation.php
Jacob (Jake) Kouns Open Source Vulnerability Database Project: email@example.com
JOIN THE PROJECT