Tag: OSVDB

  • I could do this all day… (Poor vuln stats from @GFISoftware)

    [This was originally published on the OSVDB blog.] Despite the talk given at BlackHat 2013 by Steve Christey and myself, companies continue to produce pedestrian and inaccurate statistics. This batch comes from Cristian Florian at GFI Software and offers little more than confusing and misleading statistics. Florian falls into many of the traps and pitfalls […]

  • OSVDB -How bad is the scraping problem?

    [This was originally published on the OSVDB blog.] Via Twitter, blogs, or talking with our people, you may have heard us mention the ‘scraping’ problem we have. In short, individuals and companies are using automated methods to harvest (or ‘scrape’) our data. They do it via a wide variety of methods but most boil down […]

  • An Open Letter to Ashley Carman, @SCMagazine, and @SkyboxSecurity

    [This was originally published on the OSVDB blog.] [Sent to Ashley directly via email. Posting for the rest of the world as yet another example of how vulnerability statistics are typically done poorly. In this case, a company that does not aggregate vulnerabilities themselves, and has no particular expertise in vulnerability metrics weighs in on […]

  • OSVDB – We hit the 100,000 mark…

    [This was originally published on the OSVDB blog.] If you didn’t catch the tweet, OSVDB pushed its 100,000th vulnerability on December 25, 2013. This goal was on our minds the last quarter of 2013, with the entire team working to push an average of 36 vulnerabilities a day to reach it. That is quite the […]

  • OSVDB – How many people work on this project?

    [This was originally published on the OSVDB blog.] We are occasionally asked how many people work on OSVDB. This question comes from those familiar with the project, and potential customers of our vulnerability intelligence feed. Back in the day, I had no problem answering it quickly and honestly. For years we limped along with one […]

  • More tricks than treats with today’s Metasploit blog disclosures?

    [This was originally published on the OSVDB blog.] Today, Tod Beardsley posted part one and part two on the Metasploit blogs titled “Seven FOSS Tricks and Treats. Unfortunately, this blog comes with as many tricks as it does treats. In part one, he gently berates the vendors for their poor handling of the issues. In […]

  • OSVDB – We’re offering a bounty… of sorts!

    [This was originally published on the OSVDB blog.] In our pursuit of a more complete historical record of vulnerabilities, we’re offering a bounty! We don’t want your 0-day really. OK sure we do, but we know you are stingy with that, so we’ll settle on your ~ 12,775 day exploits! First, the bounty. This is […]

  • An Open Letter to @InduSoft

    [This was originally published on the OSVDB blog.] InduSoft, When referencing vulnerabilities in your products, you have a habit of only using an internal tracking number that is kept confidential between the reporter (e.g. ICS-CERT, ZDI) and you. For example, from your HotFix page (that requires registration): WI2815: Directory Traversal Buffer overflow. Provided and/or discovered […]

  • We’re Doing the Unthinkable

    [This was originally published on the OSVDB blog.] Anyone who knows me in the context of vulnerability databases will find this post a tad shocking, even if they have endured my rants about it before. For the first time ever, I am making it policy that we will no longer put any priority on Vulnerability […]

  • howdoireportavuln.com – Good intentions, needs fix-ups though

    [This was originally published on the OSVDB blog.] Tonight, shortly before retiring from a long day of vulnerability import, I caught a tweet mentioning a web site about reporting vulnerabilities. Created on 15-aug-2013 per whois, the footer shows it was written by Fraser Scott, aka @zeroXten on Twitter. http://howdoireportavuln.com/ I love focused web sites that […]