In the interest of spreading the security message to as wide an audience as possible, a group of volunteer security professionals has compiled one of the largest, most complete and most freely accessible databases of vulnerabilities on the Internet.
Open Source Vulnerability Database, or OSVDB, is meant to serve as a central collection point for information on any and all security vulnerabilities.
Despite what one might assume from the name, the project is not just aimed at collecting data on flaws in open-source software. OSVDBs creators collect information on vulnerabilities from a wide variety of sources and distribute it freely, under an open-source license.
The project, which went live last week and can be accessed here, has been in the works since 2002, and the team has spent most of its time since then gathering vulnerability data and categorizing it.
Most of the records in the database come from submissions to the myriad security-related mailing lists that collect such vulnerability details.
OSVDB is run by a small group of security professionals who have worked on the project on their own time. Jake Kouns, chief moderator of the team, said the project so far has cataloged nearly 1,900 vulnerabilities, with another 2,700 or so submissions waiting to be confirmed, categorized and edited.
Once a new vulnerability is found, one of more than two dozen volunteer “data manglers” is assigned to confirm the reports veracity and get the information in shape for inclusion in the database. The flaw is given a unique identifier and slated for inclusion in the database, according to Kouns.
Kouns said the group is hoping to begin comparing its database with other similar stores, including the Common Vulnerabilities and Exposures project maintained by The Mitre Corp., so that it can reference CVE numbers wherever theyre applicable. The CVE project assigns unique numbers to each new vulnerability and publishes a one-line description of the problem.
Currently, OSVDB supports three open-source security products: the Snort IDS, the Nessus network scanner and the Nikto Web server scanner.