An open-source venture devoted to cataloguing an enormous vary of laptop safety flaws has closed its doorways as of Tuesday, in accordance with an announcement on the Open-Supply Vulnerability Database’s weblog.
The OSVDB, which was based in 2002, was meant to be an unbiased repository for safety data, permitting researchers to match notes with out oversight from giant company software program firms.
One in all its founders was HD Moore, a well known hacker and safety researcher, greatest identified for his improvement of the Metasploit framework, a software program suite extensively used for penetration testing. Moore just lately left safety agency Rapid7 for a forthcoming enterprise capital agency that can give attention to infosec startups.
Community World interviewed Moore by way of e mail and bought his tackle the life and dying of OSVDB.
What was the unique concept behind the OSVDB venture?
The origin of the OSVDB venture was a dialog between myself, RFP [Rain Forest Puppy, a noted white hat hacker], Steve Manzuik, Chris Wysopal, and some others who had been involved about what would occur to the Bugtraq database after the Symantec acquisition of SecurityFocus (its earlier proprietor). The irony is that Bugtraq/SecurityFocus below Symantec has now outlived OSVDB.
The group argued a bunch about what OSVDB needs to be, who ought to fund it, and the way it could be constructed. Just a few months later, the venture misplaced momentum, and the unique group of researchers (together with me) type of gave up on it.
And what occurred then?
Just a few months later Jake Kouns took over, creating the Open Safety Basis as a mum or dad group for OSVDB, with Forrest Rae rewriting the codebase from scratch, and Brian Martin (jericho) getting concerned. Various safety people had been heavy contributors to the content material through the years (myself included within the early days). When it comes to funding, there wasn’t lots direct money funding that I do know of, however firms like Digital Protection donated developer time and servers for internet hosting. Jake and the crew did a terrific job of getting visibility for the venture, however struggled to get assist with the backend codebase, and began to bitter on the group usually.
So what went unsuitable?
There was a shift from “open supply” that means the information was open, to “open sourced” that means that they owned all of it, and Jake began to complain about how the group was not contributing sufficient. Every year or so, Jake would threaten to shut down the venture, and made feedback about the way it was higher to rent low-rate abroad editors than to work with the safety group. By 2005 or so, it was fairly clear that the way forward for OSVDB was not going to be open.
Jake ultimately began Threat Primarily based Safety, which had an unique license to the OSVDB content material, monetized it, and theoretically put some a reimbursement into internet hosting and operations. Various weblog posts had been written complaining about folks “stealing” the information, giant firms working internet scrapers, and customarily going towards Jake’s view of the venture.
+MORE FROM HD MOORE: Metasploit’s HD Moore from (nearly) rags to (not fairly) riches
Why shut it down now?
The most important drawback was the title: OSVDB begins with the phrase Open, however the content material was changing into an increasing number of troublesome to entry. Bulk downloads had been first put behind a login, then disabled completely. The site was put behind CloudFlare with captchas to cease scrapers. All of that culminated with this yr’s shutdown.
The venture (as OSVDB) was semi-dead for the previous couple of months. I believe they stopped taking exterior contributions in the midst of final yr. Beginning round February the complete public site redirected to the weblog.
It was pretty much as good a time to kill it as any given the standing.
What are the consequences on the safety group going to appear like?
Dozens of safety merchandise use OSVDB references (together with Metasploit), which now all level to a defunct site. Many vulnerabilities haven’t any identifier moreover the OSVDB ID. All of these must be up to date to level some other place. For the reason that content material is industrial solely, it additionally would not be authorized for somebody to host a mirror.
OSVDB had a terrific information mannequin and was ridiculously full. This required an enormous quantity of effort to maintain up with new vulnerabilities and preserve adjustments to outdated ones.
There’s numerous dialogue occurring (twitter, irc, and 1:1 calls) about what to exchange it with and what a alternative would appear like. There are some minimal efforts to supply bare-bones identifiers (DWF, OpenWall’s generator, and so on), however no coordinated effort to construct a complete historic vulnerability database. There are a selection of firms who may bootstrap a brand new database with their industrial datasets (qualys, tenable, rapid7, secunia, ibm, and so on) nevertheless it is not clear if any of them have an interest.