0

Can someone explain the differences between a CVE and an OSVDB identifier? Both seem to serve the purpose of uniquely identifying a vulnerability or an expose, however not every OSVDB entry also has a CVE number.

How are both related and how is decided which one is assigned to a certain vulnerability?

Kyu96
  • 165
  • 1
  • 7

1 Answers1

1

They are both vulnerability tracking databases, if a vulnerability is registered in both databases it has both identifiers. There is no other correlation. OSVDB did track a much larger number than CVE (in part due to how MITRE assign CVEs) which is probably why you come across entries that only have OSVDB.

You could say it is similar to how different anti virus vendors have different identifiers for the same malware.

wireghoul
  • 5,745
  • 2
  • 17
  • 26
  • I believe OSVDB shutdown years ago. – user10216038 Dec 08 '19 at 17:56
  • It did, however the IDs are still in use by many tools. There are some data integrated in other databases and the founders had a commercial offering as per https://security.stackexchange.com/questions/118937/any-way-to-browse-osvdb – wireghoul Dec 08 '19 at 19:09
  • @wireghoul So is it up to the security researcher or vendor which database they report the vulnerability to? How is decided which database is used to track a certain vulnerability? – Kyu96 Jan 13 '20 at 20:13