Tag: Vulnerability Databases

  • Rebuttal: Dark Reading’s “9” Sources for Tracking New Vulnerabilities

    [This was originally published on the OSVDB blog.] Earlier today, Sean Martin published an article on Dark Reading titled “9 Sources For Tracking New Vulnerabilities“. Spanning 10 pages, likely for extra ad revenue, the sub-title reads: Keeping up with the latest vulnerabilities — especially in the context of the latest threats — can be a…

  • OSVDB – How many people work on this project?

    [This was originally published on the OSVDB blog.] We are occasionally asked how many people work on OSVDB. This question comes from those familiar with the project, and potential customers of our vulnerability intelligence feed. Back in the day, I had no problem answering it quickly and honestly. For years we limped along with one…

  • We’re Doing the Unthinkable

    [This was originally published on the OSVDB blog.] Anyone who knows me in the context of vulnerability databases will find this post a tad shocking, even if they have endured my rants about it before. For the first time ever, I am making it policy that we will no longer put any priority on Vulnerability…

  • Buying Into the Bias: Why Vulnerability Statistics Suck [Abstract]

    [This was originally published on the OSVDB blog.] Last week, Steve Christey and I gave a presentation at Black Hat Briefings 2013 in Las Vegas about vulnerability statistics. We submitted a brief whitepaper on the topic, reproduced below, to accompany the slides that are now available. Buying Into the Bias: Why Vulnerability Statistics SuckBy Steve…

  • Our Straw House: Vulnerabilities

    I was asked by RVAsec to fill in as a last minute replacement for a speaker that canceled. The topic of Vulnerability Databases (VDBs) is very familiar to me, so the only trick was cramming an intricate topic into about 50 minutes. Overall, I attempt to enumerate the serious weaknesses in most VDBs that make…

  • Ferreting Out Unique Vulnerability Data in OSVDB

    [This was originally published on the OSVDB blog.] In previous blog posts and on Twitter, I have shown and mentioned various methods for searching OSVDB to find interesting data. However, there is no written guide to the ins-and-outs of the data. The search interface is simple enough, but it can be used in a manner…

  • iDefense VCP as seen through OSVDB

    [This was originally published on the OSVDB blog.] In 2002, iDefense started their Vulnerability Contributor Program. The VCP was created to solicit vulnerability information from the security community and pay researchers for the information. Paying up to US$15,000 for a vulnerability or exploit, iDefense proved there was a significant market for such information after years…

  • Adobe, Qualys, CVE, and Math

    [This was originally published on the OSVDB blog.] Elinor Mills wrote an article titled Firefox, Adobe top buggiest-software list. In it, she quotes Qualys as providing vulnerability statistics for Mozilla, Adobe and others. Qualys states: The number of vulnerabilities in Adobe programs rose from 14 last year to 45 this year, while those in Microsoft…

  • OSVDB – Creditee System Overhauled

    [This was originally published on the OSVDB blog.] Thanks to Dave, we now have a completely re-written creditee system. For years, we operated off a four field system (name, email, company, url) for tracking vulnerability researchers. While we tracked that information, it was not flexible and led to serious problems with data integrity. Even worse,…

  • OSVDB – Search Filters & Custom Exports

    [This was originally published on the OSVDB blog.] Last week, OSVDB enhanced the search results capability by adding a considerable amount of filter capability, a simple “results by year” graph and export capability. Rather than draft a huge walkthrough, open a search in a new tab and title search for “microsoft windows”. As always, the…