OSVDB: The Open Source Vulnerability Database

About the OSVDB API

Overview on OSVDB Cross-Referencing and Integration

The Open Source Vulnerability Database (OSVDB) is an independent and open source database created by and for the security community. The goal of OSVDB is to provide accurate, detailed, current, and unbiased technical information. By utilizing a wide range of diverse resources, OSVDB brings vulnerability information together in one centralized location, thus reducing the need to access multiple locations for the same information. The database itself is openly available for download, can be cross-referenced by other databases, and is available for integration into security products such as vulnerability scanners and intrusion detection and prevention systems.

Some of the data in a typical OSVDB entry includes date of disclosure, attack type, impact, available solutions, and a list of references to other resources with detailed information about each particular vulnerability. In addition, entries are complimented with vulnerability-specific blog postings from information security bloggers around the globe as well as relevant user comments about a given vulnerability.

With over 40,000 unique vulnerabilities already included in the database, OSVDB strives to be the most accurate and comprehensive collection of publicly available vulnerability information. A Wiki-style editing format allows for quick and efficient updates which can constantly be revisted, and a team of experienced moderators review all changes for quality and accuracy before information is released to the public. Companies can benefit from integrating OSVDB into their services by receiving increased visibility in the security industry as well as receiving acknowledged contribution to a community project.

Cross-referencing and integrating with OSVDB is easy via its new application programming interface (API), which can provide multiple result formats to fit various needs. Queries can be run against any number of correlation factors, including CVE ID, Microsoft Bulletin ID, Bugtraq ID, and a host of other common reference points. The API is also under constant development, and suggestions for improvements are quickly and easily implemented by the OSVDB development team.

Vendors and products currently using OSVDB as a resource include:

Nikto (http://cirt.net)
Rated #1 Web Vulnerability Scanner and #12 overall Network Security Tool on insecure.org, over 400 OSVDB ID's cross-referenced.
Tenable Network Security's Nessus (http://www.nessus.org/nessus/)
Rated #1 Network Security Tool on insecure.org, over 9500 OSVDB IDs cross-referenced, 10962 Nessus NASL's
Catbird (http://catbird.com)
Commercial Vulnerability Assessment Service

Integrators can also choose to provide OSVDB with a list of filters and/or rules from their products for us to cross-reference by CVE or other reference points for inclusion in our "Tools and Filters" section. This section lists vendors which provide protection against a specific vulnerability, and can link off to the vendor's website, or to detailed documentation about your filter.

See http://osvdb.org/40229 for an example detailing Nessus rules in the Tools & Filters section for a given vulnerability. Inclusion in the Tools & Filters section benefits the community of visitors that utilize OSVDB, as well as the vendors themselves in terms of visibility.

For more information regarding the use and integration of OSVDB into a project or product, please email , visit the API documentation, or fill out the integration information request form.

Technical Details about the API

The API is RESTful interface to the OSVDB database, and requires an API key.
Results are returned in either XML or CSV.
Allows OSVDB ID correlation to a growing list of other references and integrators products.
Includes access to RSS Feeds detailing updated OSVDB ID's (must be granted access to feeds by moderators).
100 queries per day (to raise this, consider a donation and contact )

To get started using the API, create an account or login then visit the API documentation for usage instructions and examples.

The database information may change without any notice. Use of the information constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the copyright holder or distributor (OSVDB or OSF) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.