Slashdot Mirror

← Back to Stories (view on slashdot.org)

Open Source Vulnerability Database Shuts Down (osvdb.org)

Posted by msmash on from the bad-things-happen dept.

Reader StonyCreekBare writes: From the Blog at osvdb.org "As of today, a decision has been made to shut down the Open Source Vulnerability Database (OSVDB), and will not return. We are not looking for anyone to offer assistance at this point, and it will not be resurrected in its previous form. This was not an easy decision, and several of us struggled for well over ten years trying to make it work at great personal expense. The industry simply did not want to contribute and support such an effort."

6 of 34 comments (clear)

  1. Alternative Site by zenlessyank · · Score: 2

    http://www.securityfocus.com/ This is one I check on periodically. I has both open source and closed source vulnerabilities. Yea, I know it is Symantec, but even a stopped clock is right twice a day unless it's digital ;)

  2. Re:Well, their choice by TheRaven64 · · Score: 5, Informative

    They probably shut down because the MITRE's CVE database is pretty much regarded as the canonical database for all vulnerabilities, open and proprietary. I've not see a security advisory that didn't have a CVE number for a long time. I don't remember ever seeing one with a reference to OSVDB.

    --
    I am TheRaven on Soylent News
  3. the major reason it shut down by nimbius · · Score: 5, Interesting

    The project promoted greater, open collaboration between companies and individuals.

    thats not what companies want. its been my experience as a security researcher that if and when you discover a vulnerability for $product, the parent vendor typically wants to:
    1. STFU: stop reporting the issue, stop investigating the exploit, and dont touch the product ever again. Ive had cease and desist orders and gag orders show up at my door for finding pretty massive issues with PCI and point of sale vendors in particular.
    2. get lost: fork over what you know, sign a nondisclosure form, and fuck off. if we see you at a conference, we will set you on fire. You were never here and we never spoke to you. medical vendors are pretty good at this.
    3. go straight to jail: I once had an amusement park pull this shit over a SCADA report. Yes, i had to hire an attorney. No, they didnt 'win.' Yes, it wrecked a solid 4 months of my life.

    the industry DGAF about what you found or how you found it. outside of devops darlings and well known players in cloud and open source, most companies would rather you drop dead than engage in any sensible reporting on their products vulnerability to common exploit.

    --
    Good people go to bed earlier.
  4. Re:So, no money, no candy by BarbaraHudson · · Score: 2
    I guess you didn't notice the "it will not be resurrected in its previous form" part. That doesn't mean it will not be resurrected in another form, such as a subscription service, or sold off. Otherwise, the "in its previous form" would be both redundant and misleading.

    One way or another, they hope to monetize it.

    --
    "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
  5. Re:SLASHDOT APPLYING CENSORSHIP by Pseudonymous+Powers · · Score: 2

    This has been the front page story, until lately:

    https://yro.slashdot.org/story/16/04/06/1529210/nest-reminds-customers-that-ownership-isnt-what-it-used-to-be

    Is slashdot applying censorship? Who are really the new overlords? Has Alphabet paid SlashdotMedia to silence its criticism?

    I would find this troubling indeed, only it appears that it's just a second-page story now. There's this new thing called the passage of time.

  6. MITRE CVE is not everything by mx+b · · Score: 4, Informative

    They probably shut down because the MITRE's CVE database is pretty much regarded as the canonical database for all vulnerabilities, open and proprietary. I've not see a security advisory that didn't have a CVE number for a long time. I don't remember ever seeing one with a reference to OSVDB.

    MITRE itself has a list of things it thinks deserve CVE IDs: https://cve.mitre.org/cve/data_sources_product_coverage.html for details. Things outside of this list may not ever receive a CVE ID, even if they are valid vulnerabilities.

    The takeaway is that lots of products have vulnerabilities but never receive CVEs or are included in the CVE dictionary. This is why alternates like OSVDB popped up, and why alternate vulnerability ID systems popped up recently (see DWF as a primary example).

    It's a shame to lose something like OSVDB, as there really isn't a good canonical source of ALL vulnerabilities. MITRE's CVE works for vulnerabilities in big name products, but it is nowhere near inclusive of all vulnerabilities reported. Of course, OSVDB hasn't been updated recently either, so there's a big gap in even knowing what's out there. Maybe projects like DWF will help us move in that direction.