From jericho at attrition.org Thu Sep 2 00:40:31 2004 From: jericho at attrition.org (security curmudgeon) Date: Thu Sep 2 00:40:35 2004 Subject: [attrition] Open Source Vulnerability Database Opens Vendor Dictionary Message-ID: Open Source Vulnerability Database Opens Vendor Dictionary The Open Source Vulnerability Database, a project to catalog and describe the world's security vulnerabilities, has expanded its offering and opened a vendor dictionary that serves as a centralized resource for vendor contact information for public use on 31 August 2004. The OSVDB vendor dictionary is a resource through which the security community will be able to gather contact information for a desired vendor. The vendor dictionary is a list of vendors, indexed by name, which may be freely searched and utilized by all who wish to find both general and security contact information. The service also provides a way for vendors to keep their information current within the dictionary. With straightforward forms, OSVDB will be a concise and central repository for up-to-date, accurate vendor contact information-- and it's free. "Vendors expect to be contacted when researchers find security holes-- no matter what." says Jake Kouns, project lead for OSVDB. "However, many vendors do not provide easy to locate contact information on their websites. This makes it challenging, time consuming and sometimes impossible for security researchers to follow responsible disclosure practices." OSVDB aims to make it simple for contact information to be shared between researchers and vendors. The vendor dictionary is essentially a giant phonebook of vendors with current contact information, interfaced directly with the OSVDB database. It is designed for vendors, security professionals, and the security community alike. Many security researchers that routinely practice ethical disclosure find themselves unable to do so, due to the fact that the vendor contact information required is sometimes too challenging to find. Alexander Koren, an OSVDB volunteer from Germany, explains, "There will no longer be a need to dig through web pages to hopefully find all the necessary information anymore." OSVDB realizes the necessity for a current and free resource for this information, and has responded by developing the dictionary to fill this gap. Even though anyone can help maintain the dictionary, OSVDB calls for all software and hardware vendors to visit the vendor dictionary and ensure that their contact information is accurate and complete. OSVDB also urges vendors to reassess the means through which a researcher may contact them with vulnerability research. While populating the dictionary, it was noticed that many vendors utilize web forms for a user to submit information, which is not always convenient or the preferred contact medium. OSVDB encourages vendors to follow RFC 2142 (section 4) guidelines and have a specific security email address available for use by researchers. This will facilitate the ability for vulnerability researchers to communicate with vendors, and to ensure vulnerability reports are not missed. Brandon Shilling, a member of the OSVDB development team who worked extensively on the vendor dictionary, says, "The function of the dictionary is merely just a foundation for how OSVDB intends to revolutionize the way vulnerabilities are disclosed to the vendor." The OSVDB dictionary is the first phase for additional upcoming services including assisting researchers with ethically disclosing vulnerabilities, helping to verify vulnerabilities, and the OSVDB vulnerability portal. The OSVDB vendor dictionary can be found at www.OSVDB.org.