Vulnerability database goes live on net

A collaborative project intended to give network managers a comprehensive, unbiased source of information on software...

A collaborative project intended to give network managers a comprehensive, unbiased source of information on software vulnerabilities has gone live, delivering its entire library of flaws under an open-source licence.

The Open Source Vulnerability Database (OSVDB) is a clearing-house for verified vulnerability information, collecting and organising the thousands of vulnerability reports which surface each year so that IT managers do not have to.

Unlike the many security databases already available, it aims to be answerable to the security community, to be freely available and to function as a resource for developers, system administrators, business staff carrying out risk assessments and academics.

"All can benefit from a single, comprehensive source of vulnerability data," the group said. "The OSVDB is this source, reducing duplication of effort while it promotes data consistency."

Entries in the database contain references to other sources, but the OSVDB team also creates its own database entries for each reference, to ensure that there are no restrictions on the distribution and re-use of the content. Entries are already covered by a working draft open-source licence with the final project licence promised for the second quarter of this year.

Companies are increasingly reliant on well-organised databases to keep track of the thousands of vulnerability announcements arriving each year; the number of security flaws discovered each year has risen more than 2,000 per cent since 1995, according to security organisation Cert.

Specialist companies have responded to the need with databases such as BugTraq from SecurityFocus, acquired in 2002 by Symantec. Individual suppliers also provide their own databases of flaws in their own software.

OSVDB relies on the efforts of volunteers who are already professionals in the field. A small group co-ordinates the OSVDB's activities, with more than two dozen others helping to verify and edit entries. The project said it has so far catalogued nearly 1,900 vulnerabilities, with another 2,700 awaiting verification.

The project conceded that a major task will be ensuring that a steady supply of volunteers can be found to keep things running.

"The long-term viability of the OSVDB project depends on continuous success in recruiting participants, and in recognising the contributions of those who work within the project," the group said.

The database can be searched through the existing OSVDB website, with an XML-formatted version on the way for searching by automated processes. The team is also prototyping an automated RSS-like "push" mechanism for alerts.

The database can be integrated into third-party security software, and is already compatible with three open-source products: the Snort intrusion detection system, the Nessus network scanner and the Nikto web-server scanner.

Matthew Broersma writes for


Read more on IT strategy