The Openness Of The Open Source Vulnerability Database

There are a lot of open source initiatives out there that aren't just software, but ways to get information into people's hands. Today an open source supplier of security vulnerability information, the OSVDB, just went live with a whole new revision to its service. The information it provides is free, albeit with some strings attached that have raised a few hackles.

The basic idea's pretty elegant: Take all the ethically disclosed software security information you can find and make it available in as detailed and up-to-date format as you can without the interests of any particular software vendor. The results can and have been integrated with a number of third-party security products such as Nikto (itself an open source product).

The licensing scheme for the OSVDB has raised a couple of hackles, though. While folks can download the entire OSVDB database and repurpose it in a for-profit or open source product, you need to contact the OSVDB about reusing the data and reference it as the source throughout the product itself. And while the schema for the data, and the data itself, are freely available, as far as I have been able to tell the code for the OSVDB's interface, the Web site, and the OSVDB search system itself are not available as an open source product.