Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Open-source vulnerabilities database shuts down

Jon Gold | April 8, 2016
OSVDB co-founder HD Moore discusses demise of open-source project.

Jake eventually started Risk Based Security, which had an exclusive license to the OSVDB content, monetized it, and theoretically put some money back into hosting and operations. A number of blog posts were written complaining about people "stealing" the data, large companies running web scrapers, and generally going against Jake's view of the project.

Why shut it down now?

The biggest problem was the name: OSVDB starts with the word Open, but the content was becoming more and more difficult to access. Bulk downloads were first put behind a login, then disabled entirely. The web site was put behind CloudFlare with captchas to stop scrapers. All of that culminated with this year's shutdown.

The project (as OSVDB) was semi-dead for the last few months. I think they stopped taking external contributions in the middle of last year. Starting around February the entire public web site redirected to the blog.

It was as good a time to kill it as any given the status.

What are the effects on the security community going to look like?

Dozens of security products use OSVDB references (including Metasploit), which now all point to a defunct web site. Many vulnerabilities have no identifier besides the OSVDB ID. All of those need to be updated to point somewhere else. Since the content is commercial only, it also wouldn't be legal for someone to host a mirror.

OSVDB had a great data model and was ridiculously complete. This required a huge amount of effort to keep up with new vulnerabilities and maintain changes to old ones.

There is a lot of discussion happening (twitter, irc, and 1:1 calls) about what to replace it with and what a replacement would look like. There are some minimal efforts to provide bare-bones identifiers (DWF, OpenWall's generator, etc), but no coordinated effort to build a comprehensive historical vulnerability database. There are a number of companies who could bootstrap a new database with their commercial datasets (qualys, tenable, rapid7, secunia, ibm, etc) but it isn't clear if any of them are interested.


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.