Slashdot Mirror

← Back to Stories (view on slashdot.org)

Open Source Vulnerability Database Goes Live

Posted by michael on from the got-bugs? dept.

Alascom writes "The Open Source Vulnerability Database project has finally gone live. The project aims to provide comprehensive, free and unbiased (no vendor spin) vulnerability information. The database is being incorporated into such fine open source utilities as SNORT and NESSUS."

12 of 142 comments (clear)

  1. Old news by RT+Alec · · Score: 3, Informative

    Not the project, just the posts. Sendmail vulnerability from 2002? FreeBSD vulnerability (top of the list, no less) from 2000? Did I miss something?

    1. Re:Old news by CaptainBaz · · Score: 5, Informative

      Not really - it's hard to take, but there really are systems out there who still haven't patched these vulnerabilities!

    2. Re:Old news by 4rest · · Score: 2, Informative

      Vulnerabilities that exist in OSVDB have a status and each vulnerability requires some work before we hand out the information. The vulnerabilities on the front page are the last ten vulnerabilities that have been deemed complete, and ready for general consumption.

      Check out the FAQ for more information.

  2. Not really. by FreeLinux · · Score: 3, Informative

    But CERT certainly has been.

  3. Slashdotted? by luferbu · · Score: 5, Informative

    As it seems to be already /.ed here is the Google cache

  4. Those poor moderators! by LqqkOut · · Score: 2, Informative
    Kudos to the OSVDB crew!
    I wish you much success on completing your vulnerability update/addition modules so that your moderators' inboxes can have some breathing room!

    With Retina at $995 for 16 IP's, this additional gunpower for OSS will really keep the commercial vendors on their toes.

    Maybe this will create a better turn-around time for M$'s "Security Initiative" too... Oh, wait, it's 4/2!

    --

    -- In Soviet Russia, radio listens to YOU!

  5. already been done by musikit · · Score: 4, Informative

    you know i hate the company but it has already been done and is most likely a better DB.

    the MITRE Common Vulerability and Exposures DB

    http://www.cve.mitre.org/

  6. Re:Can hear MS from here by Wavemaker · · Score: 2, Informative

    http://cexx.org has a list of potential threats in popular Windows software as well as ways to counter them, you might want to check it out.

  7. oval.mitre.org by eludom · · Score: 2, Informative

    Yunz may want to look at http://oval.mitre.org
    In addition to listing WHAT the vulnerability is,
    it tries to define standardized methods for determining
    HOW to test for it.

  8. Re:www.linuxsecurity.com by kernelfoobar · · Score: 3, Informative

    This covers all products all platforms, not just Linux, *BSD etc...

    --
    Here we go again!
  9. Re:Can hear MS from here by Michalson · · Score: 2, Informative

    Actually there is truth to your statement. Previous it was easier to hide vulnerabilities in open source projects or keep them on some obscure page.

    For instance do a search on Mozilla. They are issuing reports on vulnerabilities in 1.6. That represents a very big hole in Mozilla's normally security model, which relies on keeping all the vulnerability they have a secret for 2 minor versions. If this site starts making public the almost monthly arbitrary code execution vulnerabilities in Mozilla, while a lot of people are still using those versions, it could be a very, very bad thing. With Mozilla becoming an ever more popular browser you could see people starting to make trojan installs and spyware targeted at Mozilla just like it is at IE now.

  10. Re:Can hear MS from here by kernelfoobar · · Score: 2, Informative

    try Windows Vunerability to be more precise. It yields 16,600 hits
    You are comparing a company to Linux. Compare platform to platform instead.

    --
    Here we go again!