oss-sec mailing list archives
Re: wiki: vendor info & osvdb.org/vendors
From: security curmudgeon <jericho () attrition org>
Date: Sat, 5 Apr 2008 17:52:39 +0000 (UTC)
: I am not so sure. On our wiki, we have a separation between distro : vendors and individual Open Source projects - and I like it. I haven't : found a way to extract a list of distro vendors only from osvdb.org. Based on what I have seen from this list, that is a very important distinction and something the Wiki may be better suited for. OSVDB aims to focus more on 'where the vulnerability is' over 'who distributes' it. The more I work on VDBs, the more I realize that it becomes a mess trying to track some open-source packages and what products/packages use them. : Also, some vendors and projects may have relevant info that just does : not fit into pre-defined fields on osvdb.org - yet it may be specified : in entries on the wiki. OSVDB has a 'notes' field for each vendor to accomodate this. We actually have tickets open to expand the vendor database to include a rating system for vendor response, tickets open to track more dates related to the disclosure of a vulnerability (and then automatically generate time based statistics for vendors), and more. I know our system isn't perfect by any means, but we'd love to expand and build our vendor database as much as possible. : It is a good idea to update the info at osvdb.org with whatever we have. : For example, I was not able to find rPath in the osvdb.org database. : Then the vendors/projects themselves would need to remember to keep : those entries up to date as well... Right, good chance we don't have rPath and a few other linux distros. However, you or anyone else can add them in one way or another. If you find a vulnerability that affects rPath, you can add them to the product list on the given entry, which populates the vendor database.
Current thread:
- announcing oss-security to Bugtraq & f-d Solar Designer (Apr 04)
- Re: announcing oss-security to Bugtraq & f-d Andrea Barisani (Apr 04)
- wiki: vendor info Solar Designer (Apr 04)
- Re: wiki: vendor info security curmudgeon (Apr 04)
- Re: wiki: vendor info Josh Bressers (Apr 04)
- Re: wiki: vendor info lyger (Apr 04)
- Re: wiki: vendor info Vincent Danen (Apr 04)
- Re: wiki: vendor info & osvdb.org/vendors Solar Designer (Apr 05)
- Re: wiki: vendor info & osvdb.org/vendors Solar Designer (Apr 05)
- Re: wiki: vendor info & osvdb.org/vendors security curmudgeon (Apr 05)
- wiki: vendor info Solar Designer (Apr 04)
- Re: announcing oss-security to Bugtraq & f-d Andrea Barisani (Apr 04)
- Re: wiki: vendor info (GalaxyMaster) (Apr 05)
- Re: wiki: vendor info security curmudgeon (Apr 05)