This article outlines the origins, purpose, and future of the Open Source Vulnerability Database project. Also, we talk to with Tyler Owen, a major contributor.

Introduction:

The open source community has long been fueled by the drive and inspiration of those wishing to produce software for the good of everyone. Open source allows its users to achieve things that would have otherwise not been possible. Often, proprietary software is too expensive, not flexible, and full of bugs. Users of proprietary software work at the mercy of their vendors with little to no influence on features or functionality. Those organizations who demand security often have trouble getting proprietary software vendors to comply. Open source is a great solution for those wishing to have complete control including over security, flexibility, and functionality.

Open source thrives on those wishing to share their work for the benefit of the community. To have a successful open source project, it must be backed by individuals who are ultimately committed to the project. Contributors must be willing donate time and money for the advancement of the cause. Often, open source projects are not properly funded until they are already well established.

Recently, I have had the great pleasure of talking with Tyler Owen, a contributor to the Open Source Vulnerability Database project. He, and others associated with the project have shown a lot of initiative. Although it has been slow getting off the ground, there has been a renewed commitment to provide the open source community with a database that indexes security vulnerabilities. Rather than individual open source users being burdened with keep track of them, OSVDB is striving for it to be a more collaborative process so that work is not duplicated and everyone can benefit.

Below, is the press release that was submitted to LinuxSecurity.com and a short interview with Tyler Owen, a contributor to OSVDB.


OSVDB Press Release:

Contributed by: This email address is being protected from spambots. You need JavaScript enabled to view it.

Getting reliable and complete information on security vulnerabilities is typically a hunt among dozens of web sites and mailing lists, not to mention dealing with proprietary and copyrighted information. No more. The folks at the Open Source Vulnerability Database (OSVDB) have been busy building a database and system to catalog and explain thousands of vulnerabilities.

OSVDB is currently recruiting security enthusiasts to support the project and help bring the database up to date. The role is expected to update at least one vulnerability per day over a period of a month.

On average it only takes between 15 to 30 minutes to complete a vulnerability. If you are interested in contributing please visit the website to read more about the project and then apply at .

We are looking for long term support from the security community in a number of ways. We would like to see open source products, websites, and companies start to reference OSVDB IDs. Even though OSVDB is a non-profit project, donations of hardware (hard drives), Microsoft polo shirts and money would greatly help.

The OSVDB database is currently on schedule to go live 03/31/2004 and without the support of the community this effort would not be possible!


Interview with Contributor to OSVDB, Tyler Owen:

LINUXSECURITY.COM: When did this project first start?

Tyler Owen (OSVDB): August 1, 2002 at the Black Hat and Defcon security conferences, two new services and a new partnership for community-based security information sources was announced. OSVDB was one of the new services announced and many members of the security community were involved with the original design.

LINUXSECURITY.COM: Who's idea was it, and what is the objective?

Tyler Owen (OSVDB): OSVDB was developed by quite a few prominent members of the information security community as a major open source vulnerability database was purchased by a large corporation. Original contributors as well as individuals that are currently involved with the OSVDB can be found on the project's website at

The concept of the OSVDB was introduced as a method of implementation for an unbiased, vendor neutral vulnerability database for utilization by individuals involved in the information security community.

LINUXSECURITY.COM: What benefit does your project provide the open source community?

Tyler Owen (OSVDB): The overall goals of the project are to promote greater, more open collaboration between companies and individuals, eliminate redundant works, and reduce expenses inherent with the development and maintenance of in-house vulnerability databases.

LINUXSECURITY.COM: How does the process work from beginning to end?

Tyler Owen (OSVDB): The primary way vulnerabilities are entered into the database is from numerous security mailing lists. Once a vulnerability is determined to be valid it is then added to the database in a pending mode and prioritized to be reviewed and edited by an OSVDB data mangler. After the mangler completes the editing process it is then reviewed by a moderator and added to the stable queue.

LINUXSECURITY.COM: How does someone submit a vulnerability, who will query the database later?

Tyler Owen (OSVDB): At this time it is not possible for the community to submit new entries to the database. However, it is a feature that is currently under development and will be offered shortly. When completed, it will be the primary method for new vulnerabilities to be submitted by filling out a web form located on the main OSVDB site.

Anyone can query the database, it is done for the community. Our hopes are that security related products, vendors and the community will reference our database and it will become a repository for the security community.

LINUXSECURITY.COM: Who have been some of the most active contributors to the project?

Tyler Owen (OSVDB): August 1, 2003 at the Defcon security conference a full year after the original announcement of OSVDB, the momentum of all of the announced services began to crumple and OSVDB was in danger of collapsing. Two original team members (Sullo - This email address is being protected from spambots. You need JavaScript enabled to view it. and Forrest Rae - This email address is being protected from spambots. You need JavaScript enabled to view it.) recruited in a new member (Jake Kouns - This email address is being protected from spambots. You need JavaScript enabled to view it.) to work on the project. At that point the three breathed new life into the project and many major accomplishments have been achieved. The new three leading members have committed to delivering the database to the community.

Two others recent members have been committed to updating the database and they are (Jericho - This email address is being protected from spambots. You need JavaScript enabled to view it. and myself, Tyler Owen This email address is being protected from spambots. You need JavaScript enabled to view it. ). In addition, to volunteers for the project, Digital Defense, Inc. provides the server and all the bandwidth for the project. Digital Defense, Inc. has also been extremely supportive of the project and contributed many hours of development time to the software that makes the database possible.

LINUXSECURITY.COM: Are you looking for more talent?

Tyler Owen (OSVDB): We have an immediate need for individuals with information security experience to join the project and help update the database. The role is expected to update at least one vulnerability per day over a period of a month. It is an average estimate that it may take 15 to 30 minutes per vulnerability. If you are interested in contributing please visit the website to read more about the project and then apply at .

LINUXSECURITY.COM: What else can be done to support OSVDB?

Tyler Owen (OSVDB): We are looking for long term support from the security community in a number of ways. We would like to see open source products, websites, and companies start to reference OSVDB IDs. Even though OSVDB is a non-profit project, donations of hardware and money would greatly help.

I wish to thank Tyler, and other contributors to the Open Source Vulnerability Database project. You have shown a great commitment to the advancement of the open source security community. We at LinuxSecurity.com would like to wish you the best of luck!