Open Source Vulnerability Database Shuts Down

Reader StonyCreekBare writes: From the Blog at osvdb.org "As of today, a decision has been made to shut down the Open Source Vulnerability Database (OSVDB), and will not return. We are not looking for anyone to offer assistance at this point, and it will not be resurrected in its previous form. This was not an easy decision, and several of us struggled for well over ten years trying to make it work at great personal expense. The industry simply did not want to contribute and support such an effort."

Re:Well, their choice

[TheRaven64]

They probably shut down because the MITRE's CVE database is pretty much regarded as the canonical database for all vulnerabilities, open and proprietary. I've not see a security advisory that didn't have a CVE number for a long time. I don't remember ever seeing one with a reference to OSVDB.

the major reason it shut down

[nimbius]

The project promoted greater, open collaboration between companies and individuals.

thats not what companies want. its been my experience as a security researcher that if and when you discover a vulnerability for $product, the parent vendor typically wants to:
1. STFU: stop reporting the issue, stop investigating the exploit, and dont touch the product ever again. Ive had cease and desist orders and gag orders show up at my door for finding pretty massive issues with PCI and point of sale vendors in particular.
2. get lost: fork over what you know, sign a nondisclosure form, and fuck off. if we see you at a conference, we will set you on fire. You were never here and we never spoke to you. medical vendors are pretty good at this.
3. go straight to jail: I once had an amusement park pull this shit over a SCADA report. Yes, i had to hire an attorney. No, they didnt 'win.' Yes, it wrecked a solid 4 months of my life.

the industry DGAF about what you found or how you found it. outside of devops darlings and well known players in cloud and open source, most companies would rather you drop dead than engage in any sensible reporting on their products vulnerability to common exploit.

MITRE CVE is not everything

[mx+b]

They probably shut down because the MITRE's CVE database is pretty much regarded as the canonical database for all vulnerabilities, open and proprietary. I've not see a security advisory that didn't have a CVE number for a long time. I don't remember ever seeing one with a reference to OSVDB.

MITRE itself has a list of things it thinks deserve CVE IDs: https://cve.mitre.org/cve/data_sources_product_coverage.html for details. Things outside of this list may not ever receive a CVE ID, even if they are valid vulnerabilities.

The takeaway is that lots of products have vulnerabilities but never receive CVEs or are included in the CVE dictionary. This is why alternates like OSVDB popped up, and why alternate vulnerability ID systems popped up recently (see DWF as a primary example).

It's a shame to lose something like OSVDB, as there really isn't a good canonical source of ALL vulnerabilities. MITRE's CVE works for vulnerabilities in big name products, but it is nowhere near inclusive of all vulnerabilities reported. Of course, OSVDB hasn't been updated recently either, so there's a big gap in even knowing what's out there. Maybe projects like DWF will help us move in that direction.