An open-source project dedicated to cataloguing a huge range of computer security flaws has closed its doors as of Tuesday, according to an announcement on the Open-Source Vulnerability Database’s blog.
The OSVDB, which was founded in 2002, was meant to be an independent repository for security information, allowing researchers to compare notes without oversight from large corporate software companies.
One of its founders was HD Moore, a well-known hacker and security researcher, best known for his development of the Metasploit framework, a software suite widely used for penetration testing. Moore recently left security firm Rapid7 for a forthcoming venture capital firm that will focus on infosec startups.
Network World interviewed Moore via email and got his take on the life and death of OSVDB.
What was the original idea behind the OSVDB project?
The origin of the OSVDB project was a conversation between myself, RFP [Rain Forest Puppy, a noted white hat hacker], Steve Manzuik, Chris Wysopal, and a few others who were concerned about what would happen to the Bugtraq database after the Symantec acquisition of SecurityFocus (its previous owner). The irony is that Bugtraq/SecurityFocus under Symantec has now outlived OSVDB.
The group argued a bunch about what OSVDB should be, who should fund it, and how it would be built. A few months later, the project lost momentum, and the original group of researchers (including me) kind of gave up on it.
And what happened then?
A few months later Jake Kouns took over, creating the Open Security Foundation as a parent organization for OSVDB, with Forrest Rae rewriting the codebase from scratch, and Brian Martin (jericho) getting involved. A number of security folks were heavy contributors to the content over the years (myself included in the early days). In terms of funding, there wasn't a lot direct cash investment that I know of, but companies like Digital Defense donated developer time and servers for hosting. Jake and the team did a great job of getting visibility for the project, but struggled to get help with the backend codebase, and started to sour on the community in general.
So what went wrong?
There was a shift from "open source" meaning the data was open, to "open sourced" meaning that they owned it all, and Jake started to complain about how the community was not contributing enough. Once a year or so, Jake would threaten to close down the project, and made comments about how it was better to hire low-rate overseas editors than to work with the security community. By 2005 or so, it was pretty clear that the future of OSVDB was not going to be open.
Sign up for CIO Asia eNewsletters.