In a step that researchers hope will improve the responsible disclosure process, the Open Source Vulnerability Database (OSVDB) today published a free security vendor directory that it hopes will serve as a centralized resource for vendor contact information.
"Vendors expect to be contacted when researchers find security holes-- no matter what," Jake Kouns, project lead for OSVDB, said in a statement. "However, many vendors do not provide easy to locate contact information on their Web sites. This makes it challenging, time consuming and sometimes impossible for security researchers to follow responsible disclosure practices."
The OSVDB group was formed to catalog and describe security vulnerabilities from around the world. It compiled the list of vendor information that can be freely searched and updated, to create a central repository for up-to-date, accurate vendor contact information. The group believes the directory will aid security researchers who want to practice ethical disclosure, but find themselves unable to do so because vendor contact information is sometimes too challenging to find.
"There will no longer be a need to dig through Web pages to hopefully find all the necessary information anymore," Alexander Koren, an OSVDB volunteer from Germany, said in a statement. "OSVDB realizes the necessity for a current and free resource for this information, and has responded by developing the dictionary to fill this gap."
OSVDB requests that software and hardware vendors visit the directory and ensure that their contact information is accurate and complete. The group also urges vendors to reassess the means through which a researcher may contact them with vulnerability research. When compiling the information, OSVDB said it noticed that many vendors utilize Web forms for a user to submit information, which is not always convenient or the preferred contact medium.
"The function of the [directory] is merely a foundation for how OSVDB intends to revolutionize the way vulnerabilities are disclosed to the vendor," Brandon Shilling, a member of the OSVDB development team, said in a statement. "[It's] the first phase for additional upcoming services including assisting researchers with ethically disclosing vulnerabilities, helping to verify vulnerabilities and the OSVDB vulnerability portal.