Open-source flaw database opens its doors

A security Web site aims to aid administrators by tracking and storing Internet security vulnerabilities free of charge

The Open Source Vulnerability Database (OSVDB) has launched a free Web site that catalogues security flaws in Internet-related software. It will, say its creators, promote more open collaboration between companies and individuals "and reduce expenses inherent with the development and maintenance of in-house vulnerability databases".

There are various specialist mailing lists that inform administrators and developers about newly discovered security vulnerabilities, but the OSVDB, which was launched in 2002, claims to be the first site to aggregate all this content onto a single searchable resource and make it freely available on the Web.

An OSVDB spokesperson said in a statement that the number of computer security vulnerabilities have increased more than 2,000 percent since 1995: "Tracking these vulnerabilities and their cures is critical for those who protect networked systems against accidental misuse and deliberate attack, from home users and small businesses to globe-spanning enterprises," he said.

Richard Starnes, director of incident response at Cable & Wireless, welcomed the resource because of the help it could offer to administrators keep track of an increasing number of online threats: "Administrators have to cover more than a dozen Web sites and mailing lists and it is getting to the point where even medium sized companies are having to look at hiring an intelligence officer to keep track of the latest vulnerabilities," he said.

In the same year that the OSVDB was created, antivirus company Symantec acquired SecurityFocus, which publishes the BugTraq mailing list that provides a similar service to its subscribers and opens the information to all Web users after a few days.