Slashdot Mirror

← Back to Stories (view on slashdot.org)

Open Source Vulnerability Database Goes Live

Posted by michael on from the got-bugs? dept.

Alascom writes "The Open Source Vulnerability Database project has finally gone live. The project aims to provide comprehensive, free and unbiased (no vendor spin) vulnerability information. The database is being incorporated into such fine open source utilities as SNORT and NESSUS."

16 of 142 comments (clear)

  1. Running on PostgreSQL, too... by tcopeland · · Score: 4, Interesting

    ...per the database info page.

    <shameless>
    Hey OSVBD folks, here's a little utility to do do some PostgreSQL query analysis!
    </shameless>

    --
    The Army reading list
  2. Naming is important by Space+cowboy · · Score: 4, Interesting


    The name implied to me that it is only vulnerabilities in Open Source programs/systems that will be tracked, but reading the FAQ it seems to be that the database itself is open-source, and the database covers all systems. I think they could have named it better.

    Simon

    --
    Physicists get Hadrons!
  3. securityfocus by Anonymous Coward · · Score: 2, Interesting

    is'nt securityfocus doing that already?

  4. Mmmmm.... by jwthompson2 · · Score: 3, Interesting

    No vendor spin on security issues. Now we can know the truth to the best of our ability without corporate FUD, hype or downplay.

    Gotta love technology when it helps get the full-truth out there.

    --
    Even if I knew that tomorrow the world would go to pieces, I would still plant my apple tree. -Martin Luther
  5. Can hear MS from here by Phisbut · · Score: 4, Interesting
    I can hear it from here... Microsoft saying "See, Open Source isn't more secure than our stuff... there is a public database that all hackers and crackers can use to exploit known vulnerabilities..."

    How long will it take till they say that?

    --
    After 3 days without programming, life becomes meaningless
    - The Tao of Programming
    1. Re:Can hear MS from here by MrRuslan · · Score: 3, Interesting

      I tought The Knowledge Base base was limited to mostly microsoft products...What I had in mind was a an independent database for all Windows software because some software causes windows to be worse than it actually is...And not just for bugs but also for general issues and annoyences...Like AOL advertising itself evrywhere after you install winamp or aim, and software changing your hompage and advertising in weired places on your system.

    2. Re:Can hear MS from here by kernelfoobar · · Score: 2, Interesting

      I've got to add tho, comparing security based on web search result not very precise.

      --
      Here we go again!
  6. Cool! by MrFreshly · · Score: 4, Interesting

    This should be done for all types of software...Perhaps developers will be a little more careful with their codeing and end users will be able to see just how secure the software is before they commit to it.

  7. Finally == Security Focus BIASED as hell by Anonymous Coward · · Score: 4, Interesting

    Security Focus became BIASED as heel from when Symantec bought them. Finally a really neutral source of information. Thank you for doing this guys ...

  8. Re:Oh, yeah, this'll be *real* useful by AKnightCowboy · · Score: 3, Interesting
    Yeah, this'll be *real* useful. A database with entries that become obsolete after eight hours. "There's a Linux kernel vulnerability, and it...aw, darn." ;-)

    Why would the data become obsolete after 8 hours? Not everyone runs out and installs the latest version of something for the hell of it you know.

  9. Checklist by Anonymous Coward · · Score: 1, Interesting

    what about security checklists, are there any? I mean when making a fresh install, after aplying all patches, what settings should be changed? For example restrictanonumous or nolmhash in WinXP, stuff like that.

  10. A good idea by PingKing · · Score: 1, Interesting

    Is it a good idea to have a one-stop shop for potential crackers out there? Do the benefits really outweigh the fact that it's just gotten a hell of a lot easier to find a vulnerability in someone's server?

    --

    Patriotism - the last resort of scoundrels.
  11. Re:already been done by brennz · · Score: 5, Interesting

    The CVE is "A Dictionary, NOT a Database" of vulnerabilities. It appears you aren't familiar with the CVE

    You would be better off to compare the OSVDB against the ICAT metabase

    The ICAT has some serious shortcomings which makes my work a big PAIN! (try to cross reference a specific vulnerability that matches 10 vulnerabilities).

    OSVDB appears to better personify the open source paradigm in general, as such, I'd like to extend a warm welcome.

    We expect great things from you.

  12. To be a proper challenge to Security Focus: by Anonymous Coward · · Score: 1, Interesting

    1) Host mailing lists like Bugtraq.

    2) Publish security papers a la SANS Reading room
    and SF Infocus.

    If they can do that and the open source community would start using these, then SF and SANS would
    have some competition.

  13. Re:Old news by pmfp · · Score: 2, Interesting

    Which makes me wonder about Debian, they backport the patches and have a slow release cycle. The systems appear to be old and vulnerable, with only half of it being true... doesn't really match this reporting.

    --

    "So unmerciful is life, that everything afterwards is too late."
  14. Re:Oh, yeah, this'll be *real* useful by Anonymous Coward · · Score: 1, Interesting

    Well, in the OSS world, the latest version of something basically means "it's buggy so watch out...but it's got oodles of bug fixes and new features, too!" Technically, Closed-source software does this too, and SELLS the product as an upgrade.

    With OSS, the monetary cost is often "free" -- which makes it ever so tempting to upgrade. The big exception here would be your production systems.