Full Disclosure mailing list archives
Creating a publicly maintained vulnerability database
From: full-disclosure () lists netsys com (H D Moore)
Date: Fri, 19 Jul 2002 15:59:51 -0500
(sent this from the wrong account earlier, moderators please ignore the previous post) On Friday 19 July 2002 15:38, Chris Wysopal wrote:
So would you use a non-profit database that was populated by the vulnerability reporters themselves? That is what I am proposing.
I just started a similar project. Have about two dozen volunteers and am working on the first draft docs for schema, requirements, moderation, and licensing. The domain/project name is osvdb.org, the goal is to provide a community-run vulnerability database catering to the needs of system administrators and security professionals alike. We were planning on doing this earlier, even went so far as to hire someone to create a nice Oracle schema, but lacked the time and urgency to do it until now. One of the primary goals is to allow user feedback on vulnerabilities, such as problems applying patches in a given environment or exploiting the bug on a specific architecture. The submission process will have to be moderated, moderators would be volunteers from the industry who would like to contribute to something immediately useful. My company, Digital Defense, has commited to populating the database with our own in-house data set, which should be at least get the ball rolling. Much of the correlation work has already been done, so integrating CVE/BID/Nessus/Snort references should be pretty far along from the beginning. Licensing terms will probably be GPLv2, we want OSS developers to be able to use exports from the database for their own tool reporting. While I would like to prevent commercial scan-in-a-box companies from abusing it, theres no licensing system I can think of that will prevent that but still allow consultants to provide reports using the verbage. Plagiarism is absolutely not allowed, only exception being quotes from the Vendor pertaining to the product, and those must be noted as such. Below is a mini-annoucement that was sent in reply to Jay's post on the Nessus mailing list... --- To: "Jay D. Dyson" <jdyson () treachery net> Date: Thu, 18 Jul 2002 03:53:24 -0500 On Wednesday 17 July 2002 17:47, Jay D. Dyson wrote:
On 18 Jul 2002, Michel Arboi wrote:Just curious: will they consider the Nessus community as "trusted security researchers" or as a gang of dangerous terrorists? Should we ask them? Just like this?Yes and yes. I may catch hell for this, but I see the corporate community as not exactly having the Open Source world's best interests at heart. Just have a look at the sort of legislation and lobbying they carry out under the guise of "security." It's enough to make a body swear off computing forever...
After talking to a SF employee and reading the two announcements that were sent out, this is the impression that I got: Symantec is allowing the mailing lists and SF web site to be operated just as it was previously by the same people. Their disclosure policy only applies to vulnerabilities *found* by them, it has no bearing whatsoever on the list traffic or exploits on the web site. The only piece I am worried about is whether not-quite-public-bugs, such as those reported through the vuln-help list or during vendor coordination, will be made known to "trusted security researchers" at Symantec before release. Symantec could always change their mind later, making all of the above null and void, but considering the dedication of the Security Focus staff and their full-dislosure views, I am willing to give it a chance and see how things work out. Regardless, the deal is not final until August sometime. On another note, an open source vulnerability database project has been started. This database will be filled and maintained by the community, providing complete support for CVE, Bugtraq, Nessus, and Snort. We are still in the design phase, gathering requirements from system administrators and pen-testers alike, hashing out the table structure, and deciding where to host it. Myself and a few of the DDI staff are going to populate it with what we can, but once the interface is up and volunteers are found, it will be in the hands of the community. The database will be exportable in a number of different formats and can be included and used by open source security tools. There may be some restrictions on commercial use (no sense keeping the idiots in business), but those restrictions will have to be approved by the community first. If you have any suggestions, ideas, questions, flames, or just want to get involved; please email them to osvdb () digitaloffense net for the time being. -HD -------------------------------------------------------
Current thread:
- Creating a publicly maintained vulnerability database Steven M. Christey (Jul 19)
- Re: Creating a publicly maintained vulnerability database Pascal Meunier (Jul 19)
- <Possible follow-ups>
- Creating a publicly maintained vulnerability database H D Moore (Jul 19)
- Creating a publicly maintained vulnerability database full-disclosure () lists netsys com (Jul 19)