Tag: OSVDB

  • iDefense VCP as seen through OSVDB

    [This was originally published on the OSVDB blog.] In 2002, iDefense started their Vulnerability Contributor Program. The VCP was created to solicit vulnerability information from the security community and pay researchers for the information. Paying up to US$15,000 for a vulnerability or exploit, iDefense proved there was a significant market for such information after years…

  • Microsoft, Aurora and Something About Forest and Trees?

    [This was originally published on the OSVDB blog.] Perhaps it is the fine tequila this evening, but I really don’t get how our industry can latch on to the recent ‘Aurora’ incident and try to take Microsoft to task about it. The amount of news on this has been overwhelming, and I will try to…

  • Putting OSVDB to work for Nessus Vulnerability Management

    Putting OSVDB to work for Nessus Vulnerability Management

    [This was originally published on the Tenable blog.] A customer recently asked us to provide a count of patches issued in 2009 for various Unix and Linux-based operating systems. To honor their request, we turned to OSVDB, the Open Source Vulnerability Database. OSVDB covers over 60,000 vulnerabilities, spans over 26,000 products and has a powerful search…

  • Adobe, Qualys, CVE, and Math

    [This was originally published on the OSVDB blog.] Elinor Mills wrote an article titled Firefox, Adobe top buggiest-software list. In it, she quotes Qualys as providing vulnerability statistics for Mozilla, Adobe and others. Qualys states: The number of vulnerabilities in Adobe programs rose from 14 last year to 45 this year, while those in Microsoft…

  • OSVDB – Creditee System Overhauled

    [This was originally published on the OSVDB blog.] Thanks to Dave, we now have a completely re-written creditee system. For years, we operated off a four field system (name, email, company, url) for tracking vulnerability researchers. While we tracked that information, it was not flexible and led to serious problems with data integrity. Even worse,…

  • Responsible Disclosure – Old Debate, Fresh Aspects?!

    [This was originally published on the OSVDB blog.] Earlier this evening, there was a Twitter debate regarding a proposed standard for responsible vulnerability disclosure. It referred to ISO/IEC 29147, a proposed standard for responsibly disclosing a vulnerability. Dino Dai Zovi brought up a fresh angle, that the “responsible disclosure” name itself completely ignored the aspect…

  • OSVDB – Search Filters & Custom Exports

    [This was originally published on the OSVDB blog.] Last week, OSVDB enhanced the search results capability by adding a considerable amount of filter capability, a simple “results by year” graph and export capability. Rather than draft a huge walkthrough, open a search in a new tab and title search for “microsoft windows”. As always, the…

  • What I Learned From Early CVE Entries!

    [This was originally published on the OSVDB blog.] This post is the farthest thing from picking on or insulting CVE. They were running a VDB some four years before OSVDB entered the picture. More impressive, they operated with a level of transparency that no other VDB offered at the time. Early OSVDB entries suffered just…

  • Vendors & researchers, no more decade old embargo!

    [This was originally published on the OSVDB blog.] Vulnerabilities reported ten years ago, they have no impact on your customers. If they do, then you are woefully behind and your customers are desperately hanging on to legacy products, scared to upgrade. For vendors who have kept up on security and adopted a responsible and timely…

  • Malware to Vulnerability Mappings.. Anyone?

    [This was originally published on the OSVDB blog.] Unbeknownst to many of us, MITRE’s Common Malware Enumeration (CME) project was declared dead, and apparently has been for a while. What is CME? From their site: CME was created to provide single, common identifiers to new virus threats and to the most prevalent virus threats in…