[attrition] Open Source Vulnerability Database Opens Vendor Dictionary

security curmudgeon jericho at attrition.org
Thu Sep 2 00:40:31 EDT 2004



Open Source Vulnerability Database Opens Vendor Dictionary

The Open Source Vulnerability Database, a project to catalog and describe
the world's security vulnerabilities, has expanded its offering and opened
a vendor dictionary that serves as a centralized resource for vendor
contact information for public use on 31 August 2004.

The OSVDB vendor dictionary is a resource through which the security
community will be able to gather contact information for a desired vendor.
The vendor dictionary is a list of vendors, indexed by name, which may be
freely searched and utilized by all who wish to find both general and
security contact information.  The service also provides a way for vendors
to keep their information current within the dictionary.  With
straightforward forms, OSVDB will be a concise and central repository for
up-to-date, accurate vendor contact information-- and it's free.

"Vendors expect to be contacted when researchers find security holes-- no
matter what." says Jake Kouns, project lead for OSVDB. "However, many
vendors do not provide easy to locate contact information on their
websites. This makes it challenging, time consuming and sometimes
impossible for security researchers to follow responsible disclosure
practices."

OSVDB aims to make it simple for contact information to be shared between
researchers and vendors.  The vendor dictionary is essentially a giant
phonebook of vendors with current contact information, interfaced directly
with the OSVDB database.  It is designed for vendors, security
professionals, and the security community alike. Many security researchers
that routinely practice ethical disclosure find themselves unable to do
so, due to the fact that the vendor contact information required is
sometimes too challenging to find. Alexander Koren, an OSVDB volunteer
from Germany, explains, "There will no longer be a need to dig through web
pages to hopefully find all the necessary information anymore."  OSVDB
realizes the necessity for a current and free resource for this
information, and has responded by developing the dictionary to fill this
gap.

Even though anyone can help maintain the dictionary, OSVDB calls for all
software and hardware vendors to visit the vendor dictionary and ensure
that their contact information is accurate and complete.  OSVDB also urges
vendors to reassess the means through which a researcher may contact them
with vulnerability research. While populating the dictionary, it was
noticed that many vendors utilize web forms for a user to submit
information, which is not always convenient or the preferred contact
medium.  OSVDB encourages vendors to follow RFC 2142 (section 4)
guidelines and have a specific security email address available for use by
researchers. This will facilitate the ability for vulnerability
researchers to communicate with vendors, and to ensure vulnerability
reports are not missed.

Brandon Shilling, a member of the OSVDB development team who worked
extensively on the vendor dictionary, says, "The function of the
dictionary is merely just a foundation for how OSVDB intends to
revolutionize the way vulnerabilities are disclosed to the vendor." The
OSVDB dictionary is the first phase for additional upcoming services
including assisting researchers with ethically disclosing vulnerabilities,
helping to verify vulnerabilities, and the OSVDB vulnerability portal.

The OSVDB vendor dictionary can be found at www.OSVDB.org.


More information about the attrition mailing list