External references are provided to give additional information for a vulnerability entry. These references also serve to cross reference OSVDB IDs with other vulnerability databases and key resources. OSVDB makes every attempt to add any references available to each entry in the database. The project intends to fulfill the recognized community requirements for an open, centralized resource for security information.
The following guide will set standards for external references and provide additional information. These descriptions include the base URL where you can find more information, as well as what the OSVDB Mangler will input into the field. Many of these are designed so that we input a number or reference, and the backend will build the URL/link for us.
Qualities that typically lead to a product obtaining a unique External Reference are as follows:
- Partnership with OSVDB
- Considerable amount of references to OSVDB
- Other widely used projects/databases that provide similar services
- Direct link uses ID which can be easily mapped to a full URL
- Generic category that appears in over 50% of OSVDB entries
- Large vendor with considerable market share (Microsoft, etc.)
- Security tool that has cross-references with OSVDB
1. Vulnerability & Advisory Databases
2. General Categories
- Bugtraq - SecurityFocus Vulnerability ID cross reference. Data Example: 1234 (BID number)
- CERT Advisory - This is a cross reference to a CERT "CA" full advisory, not a knowledge base article or summary. This is for "old" CERT advisories, not the new and improved US-CERT advisories. Data Example: CA-2001-01 (CERT Advisory Number)
- CERT Vulnerability Notes Database (VU) This is a cross reference to a CERT VU entry that corresponds with ours. Data Example: 619982 (CERT VU Number)
- CIAC Advisory - This is a cross reference to a CIAC advisory. Data Example: O-084 (CIAC Advisory Number)
- CVE ID - Common Vulnerabilities and Exposures cross reference to OSVDB. Data Example: CVE-2004-0001 (CVE ID)
- ISS X-Force - ISS X-Force database cross reference with our entry. Data Example: 1234 (XF ID)
- Secunia Advisory - Secunia Vulnerability Database cross reference. Data Example: 10123 (Secunia Advisory ID)
- Security Tracker - Security Tracker cross reference. Data Example: 1009695 (Security Tracker ID)
- US-CERT Cyber Security Alert - US-CERT Advisory ID. This is a cross reference to the new and improved(tm) CERT advisories. Links should be to technical advisories when possible. Data Example: TA04-041A (Technical Security Advisory ID)
- Related OSVDB ID - Our own internal ID cross-reference. This is designed to cross-ref two or more entries that are disclosed via a single source (like one advisory). Other databases often assign one ID to multiple issues from one source while we split them up, which would be a good use of this external ref. Data Example: 1234 (OSVDB ID)
3. Security Tools & Resources
- Generic Exploit URL - If a site such as Packetstorm provides exploit code for a vulnerability, this external reference is used. Typically this should be in the form of exploit script/code, or a detailed text file explaining how to exploit it, not a full advisory.
- Generic Informational URL - The key word here is 'generic'. This link is designed to provide more information about a type or class of vulnerability, not a specific link to that product. Example: If the current entry is a XSS vulnerability, linking to a paper on how XSS attacks work is good.
- Keyword - Keywords are used for searching.
- News Article - For articles written in mainstream news outlets regarding this specific vulnerability.
- Other Advisory URL - For advisories written by third parties such as security companies, etc. In the case of a security advisory being released on a site and posted to mail lists, include both in case the security site becomes unavailable. An "advisory" in this context is a formal write up (date, product, vendor info, tech details, etc), not a random post or text file with little details.
- Other Solution URL - If a third party provides a solution (typically a patch, sometimes as a reply to a mail list post for example) this external reference should be used.
- Vendor Specific Advisory URL - This is a catch-all external reference for linking to advisories released by a vendor. This will be used for the dozens of Linux vendors who release their own advisories, or large companies that release advisories on their own products, such as Macromedia but not large enough to have their own unique reference.
- Vendor Specific News/Changelog Entry - If a vendor releases a specific news article or creates a changelog entry for the specific security issues this category should be used.
- Vendor Specific Solution URL - If a vendor releases a specific patch or details for mitigating a vulnerability, this external reference should be used.
4. Software Vendors
References slated for removal
- Nessus Script - Nessus Security Scanner plugin cross reference. Data Example: 10123 (Nessus Script ID)
- Snort Signature - Snort IDS Ruleset cross reference. Data Example: 123 (Snort ID)
- PacketStorm - PacketStorm reference for any available exploits.
- OVAL - Mitre's Open Vulnerability Assessment Language
- Vendor URL - The home page for a vendor or product. This is either a specific link to a section on the vendor home page, or just the vendor home page itself.