Re: wiki: vendor info & osvdb.org/vendors

[security curmudgeon <jericho () attrition org>]

: I am not so sure.  On our wiki, we have a separation between distro 
: vendors and individual Open Source projects - and I like it.  I haven't 
: found a way to extract a list of distro vendors only from osvdb.org.

Based on what I have seen from this list, that is a very important 
distinction and something the Wiki may be better suited for. OSVDB aims to 
focus more on 'where the vulnerability is' over 'who distributes' it. The 
more I work on VDBs, the more I realize that it becomes a mess trying to 
track some open-source packages and what products/packages use them.

: Also, some vendors and projects may have relevant info that just does 
: not fit into pre-defined fields on osvdb.org - yet it may be specified 
: in entries on the wiki.

OSVDB has a 'notes' field for each vendor to accomodate this.

We actually have tickets open to expand the vendor database to include a 
rating system for vendor response, tickets open to track more dates 
related to the disclosure of a vulnerability (and then automatically 
generate time based statistics for vendors), and more. I know our system 
isn't perfect by any means, but we'd love to expand and build our vendor 
database as much as possible.

: It is a good idea to update the info at osvdb.org with whatever we have. 
: For example, I was not able to find rPath in the osvdb.org database. 
: Then the vendors/projects themselves would need to remember to keep 
: those entries up to date as well...

Right, good chance we don't have rPath and a few other linux distros. 
However, you or anyone else can add them in one way or another. If you 
find a vulnerability that affects rPath, you can add them to the product 
list on the given entry, which populates the vendor database.