Ethereal-users: [Ethereal-users] Open Source Vulnerability Database Opens Vendor Dictionary

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date: Tue, 31 Aug 2004 01:23:15 -0600
Open Source Vulnerability Database

Press release: 2004.08.31 2

Open Source Vulnerability Database Opens Vendor Dictionary

The Open Source Vulnerability Database, a project to catalog and describe the
world's security vulnerabilities, has expanded its offering and opened a vendor
dictionary that serves as a centralized resource for vendor contact information
for public use on 31 August 2004.

The OSVDB vendor dictionary is a resource through which the security community
will be able to gather contact information for a desired vendor.  The vendor
dictionary is a list of vendors, indexed by name, which may be freely searched
and utilized by all who wish to find both general and security contact
information.  The service also provides a way for vendors to keep their
information current within the dictionary.  With straightforward forms, OSVDB
will be a concise and central repository for up-to-date, accurate vendor
contact information-- and it’s free.

"Vendors expect to be contacted when researchers find security holes-- no matter
what." says Jake Kouns, project lead for OSVDB. "However, many vendors do not
provide easy to locate contact information on their websites. This makes it
challenging, time consuming and sometimes impossible for security researchers
to follow responsible disclosure practices.”

OSVDB aims to make it simple for contact information to be shared between
researchers and vendors.  The vendor dictionary is essentially a giant
phonebook of vendors with current contact information, interfaced directly with
the OSVDB database.  It is designed for vendors, security professionals, and
the security community alike. Many security researchers that routinely practice
ethical disclosure find themselves unable to do so, due to the fact that the
vendor contact information required is sometimes too challenging to find.
Alexander Koren, an OSVDB volunteer from Germany, explains, “There will no
longer be a need to dig through web pages to hopefully find all the necessary
information anymore.”  OSVDB realizes the necessity for a current and free
resource for this information, and has responded by developing the dictionary
to fill this gap.

Even though anyone can help maintain the dictionary, OSVDB calls for all
software and hardware vendors to visit the vendor dictionary and ensure that
their contact information is accurate and complete.  OSVDB also urges vendors
to reassess the means through which a researcher may contact them with
vulnerability research. While populating the dictionary, it was noticed that
many vendors utilize web forms for a user to submit information, which is not
always convenient or the preferred contact medium.  OSVDB encourages vendors to
follow RFC 2142 (section 4) guidelines and have a specific security email
address available for use by researchers. This will facilitate the ability for
vulnerability researchers to communicate with vendors, and to ensure
vulnerability reports are not missed.

Brandon Shilling, a member of the OSVDB development team who worked extensively
on the vendor dictionary, says, "The function of the dictionary is merely just
a foundation for how OSVDB intends to revolutionize the way vulnerabilities are
disclosed to the vendor." The OSVDB dictionary is the first phase for
additional upcoming services including assisting researchers with ethically
disclosing vulnerabilities, helping to verify vulnerabilities, and the OSVDB
vulnerability portal.

The OSVDB vendor dictionary can be found at www.OSVDB.org.


###


More Information:

Jake Kouns
Open Source Vulnerability Database Project
+1.804.306.8412
jkouns@xxxxxxxxx