What does the acronym "OSVDB" stand for?
What is the purpose of OSVDB?
Does OSVDB only focus on Open Source product vulnerabilities?
What are the origins of OSVDB?
What are the benefits of OSVDB?
What process is used to enter vulnerabilities into the database?
How can I submit updates to existing vulnerabilities to OSVDB?
Does OSVDB have a license?
How is OSVDB different than CVE?
What does it mean to mangle and what is a data mangler?
Why isn't my name listed as a contributor?
I have a great idea for the database, general questions and/or concerns, whom should I contact?
What does the future have in store for OSVDB?
Q. What does the acronym "OSVDB" stand for?
A: Open Sourced Vulnerability Database.
Q. What is the purpose of OSVDB?
A: The concept of the OSVDB was introduced as a method of implementation for an unbiased, vendor neutral vulnerability database for utilization by individuals involved in the information security community.
The overall goals of the project are to provide a truly comprehensive vulnerability database, evolve the features and abilities of such databases, and be able to provide the necessary information for both personal and commercial users.
Q. Does OSVDB only focus on "Open Source" product vulnerabilities?
A: Many people have asked this question, and despite what you might assume from the name, OSVDB is not just interested in collecting data on flaws in open source software. Instead, the project collects information on vulnerabilities on all types of products, including commercial software as well. The Open Source in the name refers to how the project obtains the information in our database. It is collected via
open sourced intelligence. In addition, it was also hoped that the community would contribute to the project in an open source manner, but that failed to materialize.
Q. What are the origins of OSVDB?
A: August 1, 2002 at the Black Hat and Defcon security conferences, two new services and a new partnership for community-based security information sources were announced. OSVDB was one of the new services announced and many members of the security community were involved with the original development. Unfortunately, the momentum of all of the announced services began to crumple and OSVDB was in danger of collapsing.
August 1, 2003 at the Defcon security conference a full year after the original announcement of OSVDB, two original team members (Sullo and Forrest) recruited in a new member (Jake) to work on the project. At that point the three breathed new life into the project and many major accomplishments have been achieved. The new three leading members committed to delivering the database to the community.
Q. What are the benefits of OSVDB?
A: The overall goal of OSVDB is the decrease the work and expense involved in maintaining an in-house vulnerability database for everyone in the security community. In addition, the database will make an attempt to help the vulnerability community standardize in many aspects.
Q. What process is used to enter vulnerabilities into the database?
A: The primary way entries are entered into the database is full-time staff of
Risk Based Security, our primary sponsor. Vulnerability sources include security mailing lists, exploit aggregation sites, vendor websites, and a
lot more. Once a vulnerability is determined to be valid, it is then added to the database in a pending mode and prioritized to be reviewed by project moderators.
Q. How can I submit new vulnerabilities to OSVDB?
At this time the only way to submit a vulnerability is by contacting an OSVDB moderator. Please send information to
[email protected]. This is done to ensure that entries are reviewed, and to avoid duplicate entries.
Q. How can I submit updates to existing vulnerabilities to OSVDB?
A:
Sign-up! an account to submit updates yourself, or email requested changes and additional information to the project moderators.
Q. Does OSVDB have a license?
A: Yes. It can be found here:
http://osvdb.org/osvdb_license. If you have any questions or would like to use OSVDB in a product or service please contact us at
[email protected] to discuss the details. The use of OSVDB data in a commercial manner requires a separate fee-based license agreement managed by our commercial partner,
Risk Based Security.
Q. How is OSVDB different than CVE?
A: Common Vulnerabilities and Exposures (CVE) simply provides a standardized name for vulnerabilities, much like a dictionary. OSVDB is database that provides a wealth of information about each vulnerability. Where appropriate, entries in the OSVDB reference their respective CVE names. In addition, over the past 8 years, OSVDB has imported over 23,000 vulnerabilities that cannot be found in CVE. Through our extensive list of sources and dedication, we continue to add more vulnerabilities a day than any other vulnerability database.
Q. What does it mean to mangle and what is a data mangler?
Mangle: To mutilate or disfigure by battering, hacking, cutting, or tearing.
A: OSVDB uses the term mangle or mangling to define when an entry in the database is being worked on. A data mangler is a member of the project who mangles entries.
Q. Why isn't my name listed as a contributor?
A: Companies, organizations and individuals that have donated hardware, software, and great amounts of time to this project are listed on this page. If you submit vulnerabilities to the site, you have the option to put your name or company name in the "Credit" section. If you feel that you should be included on this page, please contact the project moderators and explain the situation.
Q. I have a great idea for the database, general questions and/or concerns, whom should I contact?
A: We would love to hear from you no matter what the feedback.
Please mail
moderators.
Q. What does the future have in store for OSVDB?
A: OSVDB has been supporting the security community for 10 years and provided a lot of great value. At this point, with the lack of volunteer support and sponsors we are in the process of determining a new path moving forward. Our intent is to continue to provide information via the web interface as a free resource for the community. Alternate methods of obtaining the data such as API or exports are no longer supported via OSVDB. These methods of access will be offered by a partner. Contact
[email protected].
