Tag: OSVDB

  • Reviewing the Secunia 2013 Vulnerability Review

    [This was originally published on the OSVDB blog.] On February 26, Secunia released their annual vulnerability report (link to report PDF) summarizing the computer security vulnerabilities they had cataloged over the 2013 calendar year. For those not familiar with their vulnerability database (VDB), we consider them a ‘specialty’ VDB rather than a ‘comprehensive’ VDB (e.g.…

  • Unknown Vulnerabilities

    [This was originally published on the OSVDB blog.] One thing that we emphasize when talking about our database is what it really represents. While we catalog tens of thousands of vulnerabilities more than any other database, we are also upfront that there are still thousands, possibly tens of thousands more vulnerabilities that are already public,…

  • I could do this all day… (Poor vuln stats from @GFISoftware)

    [This was originally published on the OSVDB blog.] Despite the talk given at BlackHat 2013 by Steve Christey and myself, companies continue to produce pedestrian and inaccurate statistics. This batch comes from Cristian Florian at GFI Software and offers little more than confusing and misleading statistics. Florian falls into many of the traps and pitfalls…

  • OSVDB -How bad is the scraping problem?

    [This was originally published on the OSVDB blog.] Via Twitter, blogs, or talking with our people, you may have heard us mention the ‘scraping’ problem we have. In short, individuals and companies are using automated methods to harvest (or ‘scrape’) our data. They do it via a wide variety of methods but most boil down…

  • An Open Letter to Ashley Carman, @SCMagazine, and @SkyboxSecurity

    [This was originally published on the OSVDB blog.] [Sent to Ashley directly via email. Posting for the rest of the world as yet another example of how vulnerability statistics are typically done poorly. In this case, a company that does not aggregate vulnerabilities themselves, and has no particular expertise in vulnerability metrics weighs in on…

  • OSVDB – We hit the 100,000 mark…

    [This was originally published on the OSVDB blog.] If you didn’t catch the tweet, OSVDB pushed its 100,000th vulnerability on December 25, 2013. This goal was on our minds the last quarter of 2013, with the entire team working to push an average of 36 vulnerabilities a day to reach it. That is quite the…

  • OSVDB – How many people work on this project?

    [This was originally published on the OSVDB blog.] We are occasionally asked how many people work on OSVDB. This question comes from those familiar with the project, and potential customers of our vulnerability intelligence feed. Back in the day, I had no problem answering it quickly and honestly. For years we limped along with one…

  • More tricks than treats with today’s Metasploit blog disclosures?

    [This was originally published on the OSVDB blog.] Today, Tod Beardsley posted part one and part two on the Metasploit blogs titled “Seven FOSS Tricks and Treats. Unfortunately, this blog comes with as many tricks as it does treats. In part one, he gently berates the vendors for their poor handling of the issues. In…

  • OSVDB – We’re offering a bounty… of sorts!

    [This was originally published on the OSVDB blog.] In our pursuit of a more complete historical record of vulnerabilities, we’re offering a bounty! We don’t want your 0-day really. OK sure we do, but we know you are stingy with that, so we’ll settle on your ~ 12,775 day exploits! First, the bounty. This is…

  • An Open Letter to @InduSoft

    [This was originally published on the OSVDB blog.] InduSoft, When referencing vulnerabilities in your products, you have a habit of only using an internal tracking number that is kept confidential between the reporter (e.g. ICS-CERT, ZDI) and you. For example, from your HotFix page (that requires registration): WI2815: Directory Traversal Buffer overflow. Provided and/or discovered…