Open-source vulnerabilities database shuts down

An open-source project dedicated to cataloguing a huge range of computer security flaws has closed its doors as of Tuesday, according to an announcement on the Open-Source Vulnerability Database’s blog.

The OSVDB, which was founded in 2002, was meant to be an independent repository for security information, allowing researchers to compare notes without oversight from large corporate software companies.

One of its founders was HD Moore, a well-known hacker and security researcher, best known for his development of the Metasploit framework, a software suite widely used for penetration testing. Moore recently left security firm Rapid7 for a forthcoming venture capital firm that will focus on infosec startups.

Network World interviewed Moore via email and got his take on the life and death of OSVDB.

What was the original idea behind the OSVDB project?

The origin of the OSVDB project was a conversation between myself, RFP [Rain Forest Puppy, a noted white hat hacker], Steve Manzuik, Chris Wysopal, and a few others who were concerned about what would happen to the Bugtraq database after the Symantec acquisition of SecurityFocus (its previous owner). The irony is that Bugtraq/SecurityFocus under Symantec has now outlived OSVDB.

+MORE ON NETWORK WORLD: Microsoft’s focus on Windows 10 upgrades is a mistake + What is Amazon cloud’s Lambda and why is it a big deal?

The group argued a bunch about what OSVDB should be, who should fund it, and how it would be built. A few months later, the project lost momentum, and the original group of researchers (including me) kind of gave up on it.

And what happened then?

A few months later Jake Kouns took over, creating the Open Security Foundation as a parent organization for OSVDB, with Forrest Rae rewriting the codebase from scratch, and Brian Martin (jericho) getting involved. A number of security folks were heavy contributors to the content over the years (myself included in the early days). In terms of funding, there wasn’t a lot direct cash investment that I know of, but companies like Digital Defense donated developer time and servers for hosting. Jake and the team did a great job of getting visibility for the project, but struggled to get help with the backend codebase, and started to sour on the community in general.

So what went wrong?

There was a shift from “open source” meaning the data was open, to “open sourced” meaning that they owned it all, and Jake started to complain about how the community was not contributing enough. Once a year or so, Jake would threaten to close down the project, and made comments about how it was better to hire low-rate overseas editors than to work with the security community. By 2005 or so, it was pretty clear that the future of OSVDB was not going to be open.

Jake eventually started Risk Based Security, which had an exclusive license to the OSVDB content, monetized it, and theoretically put some money back into hosting and operations. A number of blog posts were written complaining about people “stealing” the data, large companies running web scrapers, and generally going against Jake’s view of the project.

+MORE FROM HD MOORE: Metasploit’s HD Moore from (almost) rags to (not quite) riches

Why shut it down now?

The biggest problem was the name: OSVDB starts with the word Open, but the content was becoming more and more difficult to access. Bulk downloads were first put behind a login, then disabled entirely. The web site was put behind CloudFlare with captchas to stop scrapers. All of that culminated with this year’s shutdown.

The project (as OSVDB) was semi-dead for the last few months. I think they stopped taking external contributions in the middle of last year. Starting around February the entire public web site redirected to the blog.

It was as good a time to kill it as any given the status.

What are the effects on the security community going to look like?

Dozens of security products use OSVDB references (including Metasploit), which now all point to a defunct web site. Many vulnerabilities have no identifier besides the OSVDB ID. All of those need to be updated to point somewhere else. Since the content is commercial only, it also wouldn’t be legal for someone to host a mirror.

OSVDB had a great data model and was ridiculously complete. This required a huge amount of effort to keep up with new vulnerabilities and maintain changes to old ones.

There is a lot of discussion happening (twitter, irc, and 1:1 calls) about what to replace it with and what a replacement would look like. There are some minimal efforts to provide bare-bones identifiers (DWF, OpenWall’s generator, etc), but no coordinated effort to build a comprehensive historical vulnerability database. There are a number of companies who could bootstrap a new database with their commercial datasets (qualys, tenable, rapid7, secunia, ibm, etc) but it isn’t clear if any of them are interested.