"Secrecy prevents people from accurately assessing their own risk. Secrecy precludes public debate about security, and inhibits security education that leads to improvements. Secrecy doesn't improve security; it stifles it."
This article introduces the Open Source Vulnerability Database (OSVDB) project which manages a global collection of computer security vulnerabilities. It is freely available to the information security community. This collection contains information on known security weaknesses in operating systems, software products, protocols, hardware devices, and other infrastructure elements of information technology. The OSVDB project is intended to be the centralized global open source vulnerability collection on the Internet.
A vulnerability is an error or weakness in a component that allows it to be attacked, resulting in unauthorized use of the item or in damage to it and components connected to it. In an information technology network like the Internet, successful exploitation of vulnerabilities can result in operating system damage, illegal release of information, data destruction, disruption of service, and a galaxy of other tribulations.
Although we often discuss vulnerabilities in general terms like "open to man-in-the-middle attack" or "allows remote buffer overflow", attackers and defenders know that the essence of a security vulnerability is never the general description, but rather the vulnerability's specific details. There are very few generic attacks that will work against multiple targets. Similarly, there are few general vulnerabilities that simultaneously affect different network components. Instead, the classic vulnerability affects a single feature of one release of a software product installed under a single operating system, a feature that can be exploited in only one way.
Out of the trillions of lines of code running in networked systems, a vulnerability may exist in a single line. It is a unique grain of sand in a mile-long beach. How do those with systems containing that unique flawed line know they are potential victims? And how do they identify a solution?
As the number of network components grows every year, the number of vulnerabilities also grows. Annual vulnerability announcements now number in the thousands, well beyond the capacity for human memory to manage. Well-organized databases, with verified contents and flexible search abilities, are required if these vulnerabilities are to be controlled by the security community.
A vulnerability database serves many communities: businesses need to know whether elements of their current or planned computing environment are susceptible to security failures, system administrators want alerts to relevant security malfunctions and their cures, software developers need warning when their products have shown security flaws, and security practitioners depend on a comprehensive and standardized vulnerability list to build products and services.
Historically, it has been difficult to develop a comprehensive, unbiased, and timely resource that provides for these needs. One reason for the difficulty is that documenting and disseminating vulnerabilities has become an enormous task. CERT, the security vulnerabilities research center at Carnegie Mellon University's Software Engineering Institute, identified just 171 vulnerabilities in 1995, but reported 7,236 in 2007: an increase of over 4,000 percent in twelve years. CERT's counts are considered conservative and the actual number of vulnerabilities facing administrators, developers, and organizations may actually be higher.
The effort required to track vulnerabilities exceeds the resources of most organizations, and the volume of information appearing each year is unlikely to decrease. To meet the growing need for vulnerability management, OSVDB harnesses the efforts of the world's security practitioners and the power of the open source development model to locate, verify, and document this critical information.
OSVDB provides the necessary structure, technology, and content to support the security community's requirement for vulnerability management. OSVDB aims to be the leading open source project in its field by helping practitioners evolve and move beyond the current mainstream reactionary model. By maintaining a close connection with the security community, by remaining unaffiliated with commercial interests and open to community content development, and by actively promoting excellence in its operation, OSVDB will provide a stable, world-class resource for all security projects and practitioners.
The OSVDB Project
The OSVDB project was launched in 2002 following a realization in the security community that no independent, community operated vulnerability database existed. There were, and still are, numerous vulnerability databases.Some of these databases are managed by private interests to meet their own requirements, while others contain a limited subset of vulnerabilities or have significant restrictions on their content. OSVDB's project leaders have set out to implement a vulnerability database that meets three requirements. The database must be: i) comprehensive; ii) open for use; and iii) answerable to the community.
OSVDB is currently an active web application. The project was originally deployed in two major parts: a front end allowed vulnerabilities to be searched for and reported on, and a back end allowed contributors to add or edit vulnerabilities. In order to streamline the process, OSVDB has recently implemented a customizable portal that fully integrates the old back end interface and the front end website. In addition, the method for updating vulnerabilities has been changed to a wiki-like system that allows contributors to edit individual fields when needed. OSVDB is also available for download in multiple database export formats and as a very small Ruby on Rails application. This application utilizes our SQLite database export to give a user their own, albeit relatively featureless, local OSVDB instance.
OSVDB moderators identify new vulnerabilities and assign them a unique identifier. This allows contributors the ability to scour the web for information describing a vulnerability, then capture the details in a database record within OSVDB itself. A moderator checks each vulnerability entry before it is committed, to ensure that the OSVDB's standards for clarity and correctness are met. Once the update has been accepted, it is available to anyone requiring vulnerability information from the database.The process is rapid, making new vulnerabilities available to the community quickly. It is also efficient, maximizing productivity for the contributors and moderators so that the team can keep above the rising tide of vulnerability data. The online process and the automation that supports it have been improved continuously since the project opened, and the OSVDB team will continue to add value to the basic database and associated services over time.
Many security endeavors benefit from a single source listing all vulnerabilities. This is in contrast to a federated approach where multiple vulnerability lists have to be queried and the results combined to get a comprehensive result. Developers creating vulnerability assessment tools, system administrators protecting servers and networks, business staff assessing risks and remedies, academic researchers documenting and analyzing the past and future of network security. All invest effort in identifying vulnerabilities, all work to document them consistently, and all can benefit from a single, comprehensive source of vulnerability data. The OSVDB project reduces duplication of effort and promotes data consistency.
Serious users of any database evaluate its sources and practices before placing trust in its contents. OSVDB is unbiased and neutral in its practices for accepting, reviewing, and publishing vulnerabilities. Its open acceptance of community input and internal review processes ensure that the vulnerability database is not colored by vendor biases. The OSVDB team works hard to ensure that the content evenly reflects the actual distribution of vulnerabilities, neither over-exposing nor under-exposing particular operating systems, products, or vendors. Some experts have raised concerns that such a comprehensive security database may present potential dangers of its own. This is security's classic disclosure problem. Can a vulnerability database help an attacker? It may do so, but it provides a far more significant benefit for defenders. Google can be considered the largest and most detailed vulnerability database in the universe. It operates whether or not other vulnerability lists exist, and provides the ultimate resource for the dedicated attacker.
Given the breadth of information security problems affecting businesses and individuals, it is easy to understand that subscribers to security information span a wide range of technical backgrounds and skills. At times, some software vendors have been criticized for releasing vulnerability information that lacks the details system administrators need. Others have drawn fire for complex vulnerability reports that confuse home users and non-technical staff. OSVDB includes both business-level descriptions and the technical details for the vulnerabilities in the database. Creating and supplying the proper type of information for the intended audience allows OSVDB to serve all consumers of vulnerability information.
Many security operations, whether stand-alone organizations or security departments within enterprises, operate under tight funding, and need to rely on the free efforts of others to be successful. OSVDB's features and services benefit all security practitioners because they are universally available, without distribution controls and without fees or charges. OSVDB deliverables can be freely used, whether as stand-alone components or integrated into other tools. For example, an open-source web vulnerability scanner like Nikto or Nessus can use OSVDB data to populate reports from a vulnerability scan. Both development teams conserve effort in finding and documenting vulnerabilities, and the security community benefits from comprehensive and consistent reporting capabilities.
OSVDB organizers believe that more than one vulnerability database is needed to meet the full variety of community requirements. The 2nd Workshop on Research with Security Vulnerability Databases, stated that "no single proposition satisfies all parties involved" and that the parallel pursuit of different strategies would have the best opportunity for success. OSVDB intends to fulfill the recognized community requirements for an open, centralized resource.
While it references other vulnerability databases, it develops its own database entries to ensure that there are no restrictions on distribution and re-use of OSVDB vulnerability data. Its contents are free of cost and free of restrictions on use under the terms of the OSVDB Free License.
Since March 31, 2004, when the OSVDB first opened for public use, the project has reached many milestones, including:
- The formation of the Open Security Foundation, a non-profit public foundation which provides independent, accurate, detailed, current, and unbiased security information to organizations, protects the OSVDB from commercial acquisition, and formalizes the tax status of contributors.
- The creation of the OSVDB vendor dictionary, a free resource through which the security community is able to gather vendor contact information. The vendor dictionary is a list of vendors, indexed by name, which may be freely searched and utilized by all who wish to find both general and security contact information. The service also provides a way for vendors to keep their information current within the dictionary.
- The OSVDB blog started as a way for the project to keep the public better informed on the project's status. Very quickly, the blog became a place to discuss and comment on various aspects of vulnerabilities, and has become a successful mechanism for communicating with the security industry.
- A custom portal was implemented to allow users to define specific alerting of vulnerabilities with OSVDB's Watchlist service. This service allows users to track new vulnerabilities by vendor or products and also consolidates vendor security mailing lists.
- The OSVDB displays relevant blogs for additional reading and has the ability for security practitioners to comment on specific vulnerabilities. While OSVDB has made every effort to include all references in some fashion, we have implemented a concise method for the community to add information about a vulnerability.
- A detailed classification system allows OSVDB to track numerous fields for each vulnerability. The enhanced data allows users to find vulnerabilities based on criteria such as attack type, solution status, or whether or not the vulnerability has been confirmed or disputed by the vendor.
- Integration and cross-referencing of OSVDB via the application programming interface (API) which can provide multiple result formats to fit various needs. Queries can be run against any number of correlation factors, including CVE ID, Microsoft Bulletin ID, Bugtraq ID, and a host of other common reference points.
- The OSVDB supports multiple database export formats (XML, SQLite, MySQL and CSV) as well as a small Ruby on Rails application that utilizes a SQLite database export to give a user their own local OSVDB instance.
The OSVDB is working towards the following objectives:
- The OSVDB Vulnerability Disclosure Framework, a service to help to improve, streamline and, more importantly, remove the mystery and breakdowns in the disclosure process. The framework will assist researchers and vendors to better coordinate disclosing vulnerabilities.
- A policy on the release of vulnerability information which incorporates clear guidelines on the timing of notification to the product developer and of notification to the open security community. In addition, a formal statement of policy for handling previously-unknown (0-day) security vulnerabilities and exploits, covering communications with affected vendors as well as with the security community.
- Recruitment of more security professionals to maintain and extend the vulnerability database and formal recognition of contributors and identifying lead-contributors to support organizations underwriting their time and effort.
- Active integration with vulnerability tools to streamline the process of identifying and setting priorities for the identified vulnerabilities. OSVDB will assist tool developers to identify vulnerabilities that are not already represented in their products, and will provide a way to identify the high-priority vulnerabilities for immediate attention.
- The creation of a Vulnerability and Patch Management Portal to create a flexible framework that can provide organizations with the ability to track and manage vulnerabilities and patches. OSVDB is looking to not only provide information on vulnerabilities, but also a service that can provide security professionals a way to track and ensure that vulnerabilities have been addressed at their organization.
- The OSVDB Training Portal Framework will create a flexible framework that can provide training on security issues. The OSVDB aims to be a repository for training information that will help educate end users on how to avoid security risks and developers on how to avoid coding insecure applications.
- The OSVDB Port Listing Project will be a central repository for all known ports and protocols. This will be the foundation for many new features such as referencing ports and protocols to OSVDB vulnerabilities. This will then allow the OSVDB to be better mapped to firewall rules, intrusion detection system (IDS) alerts, and potential integrations to other security projects.
- Long term sponsorship to provide additional services and an improved dataset.
The OSVDB provides an important service for the security community by maintaining and propagating an open, freely available database of security vulnerabilities. As Stewart Brand said, "information wants to be free". This is doubly true for security information, which can protect network users and organizations from harm. The project is already significant to the world security community, and it will increase in importance as its contents grow and as it adds features and services over time.
The OSF, a non-profit organization which oversees the operations of the OSVDB, was setup as an umbrella organization to support open source security projects. Another project that continues to provide value to the community is the DataLoss DB, (DLDOS) run by Attrition.org since July 2005. It will be formally maintained as an ongoing project under OSF. The DLDOS project's core mission is to track data loss and data theft incidents--whether confirmed, unconfirmed, or disputed--not just from the United States, but across the world. As of June 4, 2008, DLDOS contains information on over 1,000 breaches of personal identifying information covering over 330 million records.
This article is based upon the whitepaper entitled OSVDB Aims. The original whitepaper is available in HTML and PDF at the OSVDB website.
Requirements and Approaches for a Computer Vulnerability Data Archive
Sharing Vulnerability Information Using a Taxonomically-Correct, Web-Based Cooperative Database