OSVDB Shut Down Permanently

The maintainers of the Open Sourced Vulnerability Database (OSVDB) announced this week that the project will be shut down permanently due to the lack of support from the industry.

“As of today, a decision has been made to shut down the Open Sourced Vulnerability Database (OSVDB), and will not return. We are not looking for anyone to offer assistance at this point, and it will not be resurrected in its previous form,” Brian Martin, aka Jericho, one of the leaders of the OSVDB project, said in a blog post.

“This was not an easy decision, and several of us struggled for well over ten years trying to make it work at great personal expense. The industry simply did not want to contribute and support such an effort,” Martin added.

While the OSVDB will be shut down, the project’s blog will remain active as a “place for providing commentary on all things related to the vulnerability world.”

The OSVDB, announced in August 2002 and launched to the public in March 2004, was created as a project whose goal was to provide accurate and unbiased information about security vulnerabilities. Over the course of 12 years, the OSVDB, which had been free for non-commercial use, catalogued more than 100,000 flaws affecting a large number of products.

The OSVDB was primarily sponsored by Risk Based Security, which was also the project’s commercial partner, and aided by donations from Switzerland-based web security company High-Tech Bridge.

The project received some legal threats from unhappy vendors whose products were listed in the database. However, an even bigger issue was that some individuals and companies had attempted to automatically scrape the database and use the information for commercial purposes without having to pay for access.

HD Moore, one of the project’s early contributors, learned from Risk Based Security that the data in the OSVDB will not be made available. Moore believes the project failed due to its poor business model.