The Openness Of The Open Source Vulnerability Database

There are a lot of open source initiatives out there that aren't just software, but ways to get information into people's hands. Today an open source supplier of security vulnerability information, the OSVDB, just went live with a whole new revision to its service. The information it provides is free, albeit with some strings attached that have raised a few hackles.

The basic idea's pretty elegant: Take all the ethically disclosed software security information you can find and make it available in as detailed and up-to-date format as you can without the interests of any particular software vendor. The results can and have been integrated with a number of third-party security products such as Nikto (itself an open source product).

The licensing scheme for the OSVDB has raised a couple of hackles, though. While folks can download the entire OSVDB database and repurpose it in a for-profit or open source product, you need to contact the OSVDB about reusing the data and reference it as the source throughout the product itself. And while the schema for the data, and the data itself, are freely available, as far as I have been able to tell the code for the OSVDB's interface, the Web site, and the OSVDB search system itself are not available as an open source product.

One critic of this setup (posted in Slashdot's comments section back in 2004 when the OSVDB went live) derided the OSVDB's custom license and use of "open source" as little more than a "marketing term." He further ventured a guess that after a year or two it would be bought out and turned into a commercial outfit. That hasn't happened, and I doubt it would, but the design of the service brings up an ethical question: Are the maintainers of the OSVDB ethically bound to release the site's search code as well as the data and its schema?

It's a tough question. Wikipedia, for instance, has its own software available as an open source application, although the data in Wikipedia, the way you access it, and the ends it's put to are markedly unlike the OSVDB. It could be argued that the value of the OSVDB isn't exclusively in its presentation through the OSVDB Web site, and so releasing the presentation code wouldn't be as useful as releasing the data.

I'm fairly sure issues like this will become more, not less, common as the general concept of openness as a standard to aspire to spreads. I've sent the folks at the OSVDB an e-mail about this whole thing and will be printing what they say in a follow-up.