Government // Enterprise Architecture
Commentary
12/17/2007
04:04 PM
Serdar Yegulalp
Serdar Yegulalp
Commentary
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

The Openness Of The Open Source Vulnerability Database

There are a lot of open source initiatives out there that aren't just software, but ways to get information into people's hands. Today an open source supplier of security vulnerability information, the OSVDB, just went live with a whole new revision to its service. The information it provides is free, albeit with some strings attached that have raised a few hackles.

There are a lot of open source initiatives out there that aren't just software, but ways to get information into people's hands. Today an open source supplier of security vulnerability information, the OSVDB, just went live with a whole new revision to its service. The information it provides is free, albeit with some strings attached that have raised a few hackles.

The basic idea's pretty elegant: Take all the ethically disclosed software security information you can find and make it available in as detailed and up-to-date format as you can without the interests of any particular software vendor. The results can and have been integrated with a number of third-party security products such as Nikto (itself an open source product).

The licensing scheme for the OSVDB has raised a couple of hackles, though. While folks can download the entire OSVDB database and repurpose it in a for-profit or open source product, you need to contact the OSVDB about reusing the data and reference it as the source throughout the product itself. And while the schema for the data, and the data itself, are freely available, as far as I have been able to tell the code for the OSVDB's interface, the Web site, and the OSVDB search system itself are not available as an open source product.

One critic of this setup (posted in Slashdot's comments section back in 2004 when the OSVDB went live) derided the OSVDB's custom license and use of "open source" as little more than a "marketing term." He further ventured a guess that after a year or two it would be bought out and turned into a commercial outfit. That hasn't happened, and I doubt it would, but the design of the service brings up an ethical question: Are the maintainers of the OSVDB ethically bound to release the site's search code as well as the data and its schema?

It's a tough question. Wikipedia, for instance, has its own software available as an open source application, although the data in Wikipedia, the way you access it, and the ends it's put to are markedly unlike the OSVDB. It could be argued that the value of the OSVDB isn't exclusively in its presentation through the OSVDB Web site, and so releasing the presentation code wouldn't be as useful as releasing the data.

I'm fairly sure issues like this will become more, not less, common as the general concept of openness as a standard to aspire to spreads. I've sent the folks at the OSVDB an e-mail about this whole thing and will be printing what they say in a follow-up.

Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 18, 2014
Enterprise social network success starts and ends with integration. Here's how to finally make collaboration click.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.