Topics: Open Source

The Openness Of The Open Source Vulnerability Database

Posted by Serdar Yegulalp, Dec 17, 2007 04:04 PM

There are a lot of open source initiatives out there that aren't just software, but ways to get information into people's hands. Today an open source supplier of security vulnerability information, the OSVDB, just went live with a whole new revision to its service. The information it provides is free, albeit with some strings attached that have raised a few hackles.

The basic idea's pretty elegant: Take all the ethically disclosed software security information you can find and make it available in as detailed and up-to-date format as you can without the interests of any particular software vendor. The results can and have been integrated with a number of third-party security products such as Nikto (itself an open source product).

The licensing scheme for the OSVDB has raised a couple of hackles, though. While folks can download the entire OSVDB database and repurpose it in a for-profit or open source product, you need to contact the OSVDB about reusing the data and reference it as the source throughout the product itself. And while the schema for the data, and the data itself, are freely available, as far as I have been able to tell the code for the OSVDB's interface, the Web site, and the OSVDB search system itself are not available as an open source product.

One critic of this setup (posted in Slashdot's comments section back in 2004 when the OSVDB went live) derided the OSVDB's custom license and use of "open source" as little more than a "marketing term." He further ventured a guess that after a year or two it would be bought out and turned into a commercial outfit. That hasn't happened, and I doubt it would, but the design of the service brings up an ethical question: Are the maintainers of the OSVDB ethically bound to release the site's search code as well as the data and its schema?

It's a tough question. Wikipedia, for instance, has its own software available as an open source application, although the data in Wikipedia, the way you access it, and the ends it's put to are markedly unlike the OSVDB. It could be argued that the value of the OSVDB isn't exclusively in its presentation through the OSVDB Web site, and so releasing the presentation code wouldn't be as useful as releasing the data.

I'm fairly sure issues like this will become more, not less, common as the general concept of openness as a standard to aspire to spreads. I've sent the folks at the OSVDB an e-mail about this whole thing and will be printing what they say in a follow-up.

« The Corporate Vista Slow-Down | Main | Join Us Tuesday For GridTalk With The Founder Of Caledon »

This is a public forum. United Business Media and its affiliates are not responsible for and do not control what is posted herein. United Business Media makes no warranties or guarantees concerning any advice dispensed by its staff members or readers.

Community standards in this comment area do not permit hate language, excessive profanity, or other patently offensive language. Please be aware that all information posted to this comment area becomes the property of United Business Media LLC and may be edited and republished in print or electronic format as outlined in United Business Media's Terms of Service.

Important Note: This comment area is NOT intended for commercial messages or solicitations of business.

Blog Categories
Healthcare Cloud Computing Enterprise 2.0 Digital Life Grok On Google Over The Air Outsourcing Global CIO Startup City Information Management Content Management Green Computing Full Nelson Unified Communications	Hardware Government IT Analytics Tech Stocks Interop Security Microsoft Apple Unvarnished Open Source Wolfe's Den David Berlind's Tech Radar Virtualization Storage Backup and Business Continuity
Blog Homepage