The Openness Of The Open Source Vulnerability Database - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Government // Enterprise Architecture
Commentary
12/17/2007
04:04 PM
Serdar Yegulalp
Serdar Yegulalp
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

The Openness Of The Open Source Vulnerability Database

There are a lot of open source initiatives out there that aren't just software, but ways to get information into people's hands. Today an open source supplier of security vulnerability information, the OSVDB, just went live with a whole new revision to its service. The information it provides is free, albeit with some strings attached that have raised a few hackles.

There are a lot of open source initiatives out there that aren't just software, but ways to get information into people's hands. Today an open source supplier of security vulnerability information, the OSVDB, just went live with a whole new revision to its service. The information it provides is free, albeit with some strings attached that have raised a few hackles.

The basic idea's pretty elegant: Take all the ethically disclosed software security information you can find and make it available in as detailed and up-to-date format as you can without the interests of any particular software vendor. The results can and have been integrated with a number of third-party security products such as Nikto (itself an open source product).

The licensing scheme for the OSVDB has raised a couple of hackles, though. While folks can download the entire OSVDB database and repurpose it in a for-profit or open source product, you need to contact the OSVDB about reusing the data and reference it as the source throughout the product itself. And while the schema for the data, and the data itself, are freely available, as far as I have been able to tell the code for the OSVDB's interface, the Web site, and the OSVDB search system itself are not available as an open source product.

One critic of this setup (posted in Slashdot's comments section back in 2004 when the OSVDB went live) derided the OSVDB's custom license and use of "open source" as little more than a "marketing term." He further ventured a guess that after a year or two it would be bought out and turned into a commercial outfit. That hasn't happened, and I doubt it would, but the design of the service brings up an ethical question: Are the maintainers of the OSVDB ethically bound to release the site's search code as well as the data and its schema?

It's a tough question. Wikipedia, for instance, has its own software available as an open source application, although the data in Wikipedia, the way you access it, and the ends it's put to are markedly unlike the OSVDB. It could be argued that the value of the OSVDB isn't exclusively in its presentation through the OSVDB Web site, and so releasing the presentation code wouldn't be as useful as releasing the data.

I'm fairly sure issues like this will become more, not less, common as the general concept of openness as a standard to aspire to spreads. I've sent the folks at the OSVDB an e-mail about this whole thing and will be printing what they say in a follow-up.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

News
How SolarWinds Changed Cybersecurity Leadership's Priorities
Jessica Davis, Senior Editor, Enterprise Apps,  5/26/2021
Commentary
How CIOs Can Advance Company Sustainability Goals
Lisa Morgan, Freelance Writer,  5/26/2021
Slideshows
IT Skills: Top 10 Programming Languages for 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  5/21/2021
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Slideshows
Flash Poll