Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Open Source Vulnerability Database Shuts Down (osvdb.org) 34

Reader StonyCreekBare writes: From the Blog at osvdb.org "As of today, a decision has been made to shut down the Open Source Vulnerability Database (OSVDB), and will not return. We are not looking for anyone to offer assistance at this point, and it will not be resurrected in its previous form. This was not an easy decision, and several of us struggled for well over ten years trying to make it work at great personal expense. The industry simply did not want to contribute and support such an effort."
This discussion has been archived. No new comments can be posted.

Open Source Vulnerability Database Shuts Down

Comments Filter:
  • I get that they want to take their ball home and stop playing. Guessing that they're not happy that vendors didn't play nice to or with them. Nothing wrong with that position either. But they could offer the DB for others to download. Maybe someone could do a better fork, or find a better way to work with vendors.

    Not remotely saying that some/most vendors do a crap job with security disclosures and patching in general. But some folks don't make it easy to get along with.
    • Nah - this is a last-ditch effort to get businesses to say "hey look, if we pay you, will you change your mind?" Extortion 101.
    • by TheRaven64 ( 641858 ) on Wednesday April 06, 2016 @10:19AM (#51853271) Journal
      They probably shut down because the MITRE's CVE database is pretty much regarded as the canonical database for all vulnerabilities, open and proprietary. I've not see a security advisory that didn't have a CVE number for a long time. I don't remember ever seeing one with a reference to OSVDB.
      • by mx+b ( 2078162 ) on Wednesday April 06, 2016 @11:21AM (#51853709)

        They probably shut down because the MITRE's CVE database is pretty much regarded as the canonical database for all vulnerabilities, open and proprietary. I've not see a security advisory that didn't have a CVE number for a long time. I don't remember ever seeing one with a reference to OSVDB.

        MITRE itself has a list of things it thinks deserve CVE IDs: https://cve.mitre.org/cve/data_sources_product_coverage.html [mitre.org] for details. Things outside of this list may not ever receive a CVE ID, even if they are valid vulnerabilities.

        The takeaway is that lots of products have vulnerabilities but never receive CVEs or are included in the CVE dictionary. This is why alternates like OSVDB popped up, and why alternate vulnerability ID systems popped up recently (see DWF [seclists.org] as a primary example).

        It's a shame to lose something like OSVDB, as there really isn't a good canonical source of ALL vulnerabilities. MITRE's CVE works for vulnerabilities in big name products, but it is nowhere near inclusive of all vulnerabilities reported. Of course, OSVDB hasn't been updated recently either, so there's a big gap in even knowing what's out there. Maybe projects like DWF will help us move in that direction.

  • "The industry didn't want to contribute and support such an effort." What did you expect? That they were going to throw money at you because OPEN SOURCE?

  • by zenlessyank ( 748553 ) on Wednesday April 06, 2016 @10:14AM (#51853219)
    http://www.securityfocus.com/ [securityfocus.com] This is one I check on periodically. I has both open source and closed source vulnerabilities. Yea, I know it is Symantec, but even a stopped clock is right twice a day unless it's digital ;)
    • when Symantec acquired SNI they agreed to keep the site free. the paid version is deepsight. osvdb never had a chance.
  • Comment removed (Score:5, Interesting)

    by account_deleted ( 4530225 ) on Wednesday April 06, 2016 @10:36AM (#51853367)
    Comment removed based on user account deletion
    • by sinij ( 911942 )
      I am a certifier and security auditor, and my experience mirrors the above. Even when they pay you to find issues, they often don't want to fix them. It is just not a development priority unless it leads to full-blown compromise (e.g. root) and there is very little customer demand for security. For example, convincing organization to upgrade from RSA-1024 certs is a Sisyphean task.
    • by Anonymous Coward

      You're problem is that you are reporting these things to them.
      The right thing to do is publicize first.
      Let them ask questions later.
      The whole "responsible disclosure" thing is code for "we don't want people to know our shit sucks".
      If everyone just anonymously posted security issues online they would get exploited, and therefore fixed, much faster.

    • This makes me wonder how many security researchers simply go to work for the black market.\

      How exactly do you make a living as a "security researcher" anyway, if companies treat you like this?

  • We are always looking for groups that show what we miss in potentially countless hours of testing, or exposing our inside voluntary or non-voluntary arrangements with government agencies (Especially US and China), or exposing how much effort make (or lack thereof) into securing our products.

    We want to show people we truly put the safety and security of our customers above profitability. The we know the stockholders will understand.

    (and if you believe that there is a bridge in Brooklyn I can show you

Ocean: A body of water occupying about two-thirds of a world made for man -- who has no gills. -- Ambrose Bierce

Working...