Despite what you might assume from the name, the projects creators are not just interested in collecting data on flaws in open-source software. Instead, theyre collecting information on vulnerabilities from a wide variety of sources that they then distribute freely, under an open-source license.
The project, which went live on Wednesday, has been in the works since 2002. The team has spent most of its time since then gathering and categorizing vulnerability data. Most of the records in the database come from submissions to myriad security-related mailing lists.
OSVDB is run by a small group of security professionals who have worked on the project on their own time. Jake Kouns, chief moderator of the team, said the project so far has catalogued nearly 1,900 vulnerabilities, with another 2,700 or so submissions waiting to be confirmed and edited.
Once a new vulnerability is found, one of more than two dozen volunteer "data manglers" is assigned to confirm its veracity and get the information in shape for inclusion in the database. The flaw is then given a unique identifier and slated for database inclusion.
Kouns said that the group is hoping to begin comparing its database with other, similar stores, including the CVE (Common Vulnerabilities and Exposures) project maintained by The Mitre Corp., so that it can reference CVE numbers wherever theyre applicable. The CVE project assigns unique numbers to each new vulnerability and publishes a one-line description of the problem.
Currently, the OSVDB supports three open-source security products: the Snort intrusion detection system, the Nessus network scanner and the Nikto Web-server scanner.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: