Creating a publicly maintained vulnerability database

[full-disclosure () lists netsys com (H D Moore)]

(sent this from the wrong account earlier, moderators please ignore the 
previous post)

On Friday 19 July 2002 15:38, Chris Wysopal wrote:
> So would you use a non-profit database that was populated by the
> vulnerability reporters themselves? That is what I am proposing.

  I just started a similar project. Have about two dozen volunteers and am
working on the first draft docs for schema, requirements, moderation, and
licensing. The domain/project name is osvdb.org, the goal is to provide a
community-run vulnerability database catering to the needs of system
administrators and security professionals alike. We were planning on doing
this earlier, even went so far as to hire someone to create a nice Oracle
schema, but lacked the time and urgency to do it until now.

  One of the primary goals is to allow user feedback on vulnerabilities, such
as problems applying patches in a given environment or exploiting the bug on
a specific architecture. The submission process will have to be moderated,
moderators would be volunteers from the industry who would like to contribute
to something immediately useful.  My company, Digital Defense, has commited
to populating the database with our own in-house data set, which should be at
least get the ball rolling. Much of the correlation work has already been
done, so integrating CVE/BID/Nessus/Snort references should be pretty far
along from the beginning. Licensing terms will probably be GPLv2, we want OSS
developers to be able to use exports from the database for their own tool
reporting. While I would like to prevent commercial scan-in-a-box companies
from abusing it, theres no licensing system I can think of that will prevent
that but still allow consultants to provide reports using the verbage.
Plagiarism is absolutely not allowed, only exception being quotes from the
Vendor pertaining to the product, and those must be noted as such.

Below is a mini-annoucement that was sent in reply to Jay's post on the
 Nessus mailing list...

---

To: "Jay D. Dyson" <jdyson () treachery net>
Date: Thu, 18 Jul 2002 03:53:24 -0500

On Wednesday 17 July 2002 17:47, Jay D. Dyson wrote:
> On 18 Jul 2002, Michel Arboi wrote:
> > Just curious: will they consider the Nessus community as "trusted
> > security researchers" or as a gang of dangerous terrorists?
> >
> > Should we ask them? Just like this?
>
>       Yes and yes.
>
>       I may catch hell for this, but I see the corporate community as
> not exactly having the Open Source world's best interests at heart.  Just
> have a look at the sort of legislation and lobbying they carry out under
> the guise of "security."  It's enough to make a body swear off computing
> forever...

  After talking to a SF employee and reading the two announcements that were
sent out, this is the impression that I got:

  Symantec is allowing the mailing lists and SF web site to be operated just
as
it was previously by the same people. Their disclosure policy only applies to
vulnerabilities *found* by them, it has no bearing whatsoever on the list
traffic or exploits on the web site.

  The only piece I am worried about is whether not-quite-public-bugs, such as
those reported through the vuln-help list or during vendor coordination, will
be made known to "trusted security researchers" at Symantec before release.

  Symantec could always change their mind later, making all of the above null
and void, but considering the dedication of the Security Focus staff and
their full-dislosure views, I am willing to give it a chance and see how
things work out. Regardless, the deal is not final until August sometime.

  On another note, an open source vulnerability database project has been
started. This database will be filled and maintained by the community,
providing complete support for CVE, Bugtraq, Nessus, and Snort.  We are still
in the design phase, gathering requirements from system administrators and
pen-testers alike, hashing out the table structure, and deciding where to
host it. Myself and a few of the DDI staff are going to populate it with what
we can, but once the interface is up and volunteers are found, it will be in
the hands of the community. The database will be exportable in a number of
different formats and can be included and used by open source security tools.
There may be some restrictions on commercial use (no sense keeping the idiots
in business), but those restrictions will have to be approved by the
community first. If you have any suggestions, ideas, questions, flames, or
just want to get involved; please email them to osvdb () digitaloffense net for
the time being.

-HD

-------------------------------------------------------