If there are any Europeans here, I'd love to make my vulnerability database that's accumulated from all linux security trackers and the CVE/NVD open source if I can manage to find some folks who'd help with maintenance.
Currently hosting costs are unclear, but it should be doable if we offer API access for like 5 bucks / month for private and 100 / month for corporate or similar.
Already did a backup of the NVD in the last couple hours, currently backing up the security trackers and OVAL feeds.
Gonna need some sleep now, it's morning again.
My project criteria:
- hosting within the EU
- must have a copyleft license (AGPL)
- must have open source backend and frontend
- dataset size is around 90-148 GB (compressed vs uncompressed)
- ideally an e.V. for managing funds and costs, so it can survive me
- already built my vulnerability scraper in Go, would contribute it under AGPL
- already built all schema parsers, would contribute them also under AGPL
- backend and frontend needs to be built
- would make it prerendered, so that cves can be static HTML files that can be hosted on a CDN
- needs submission/PoC/advisory web forms and database/workflow for it
- data is accumulated into a JSON format (sources are mixed non standard formats for each security tracker. Enterprise distros use odata or oval for the most parts)
If you are interested, write me on linkedin.com/in/cookiengineer or here.
"Fourth, national vulnerability databases like China’s and Russia’s, among others, will largely dry up (Russia more than China)."
"Fourth [sic], hundreds, if not thousands, of National / Regional CERTs around the world, no longer have that source of free vulnerability intelligence."
"Fifth [sic], every company in the world that relied on CVE/NVD for vulnerability intelligence is going to experience swift and sharp pains to their vulnerability management program."
All major powers have at least one each, some few for different parts of bureaucracy. Most of them are probably minimum budget operations just rsync-ing US CVD but they exist.
I don't think the EU has any interest in this. They've been aware of the risk of relying on the US for software security for years, but AFAIK there have been no efforts to do anything about it. Maybe the current situation will kick some butts into gear ...
Off topic: your username is very appropriate given the situation.
>They've been aware of the risk of relying on the US for software security for years, but AFAIK there have been no efforts to do anything about it.
Indeed. Just as Germany knew their economy is vulnerable to Russian gas and did nothing about it, even after the 2014 invasion of Crimea. Just as the west knew moving their entire manufacturing sector to one country would make them vulnerable, but choose to ignore it because it was too profitable.
I never EVER saw politicians act proactively for the good of the nation or the people, all they do is act reactively after the shit hits the fan to control public opinion and blame someone else to make sure they get re-elected, that's it.
Once you realize our rulers aren't competent at their jobs or acting in the peoples' best interest, it all makes sense. They're in it for the grift and to enrich their monopolistic friends in the private sector, to make sure line goes up in the next quarter, that's it.
Yes, I know there are good politicians out there who care and fight for their local communities, but they never make it to rule at national or international stage and actually change the rotten system because the status quo doesn't allow that.
Politicians react to the public when it stands up. Otherwise it will follow other agenda's.
That is why it is critical to have an informed public. When journalism has to compete with corporate owned Fake News and Entertainment, journalism dies, and democracy will follow. Then, add the spy business of Big Tech in the mix, with algorithmic silo's. The people don't even realize they are locked up in a jar, where they live on a diet of cultural engineering.
Now, pause a moment and think about what happens when you add AI-models to the mix. Your daughter, your neighbor will be totally brain-wrecked.
>When journalism has to compete with corporate owned Fake News and Entertainment, journalism dies, and democracy will follow.
Which journalism are you referring to? The one owned by Rupert Murdoch? The Washington Post owned by Jeff Bezos? MSNBC? CNN? Are they better just because they're owned by different billionaires and interest groups?
I got news for you, the journalism you knew died a long time ago.
American independent journalism seems to be dying (unfortunately) but I think in Europe there are several large news organizations reporting on things that matter in a relatively independent fashion, at least a lot more independent than what we see happening in the US (I'm thinking of e.g. The Guardian, Le Monde, I could also name a couple of Dutch news sources, but they would mean nothing to 95% of the readers here).
That is not news to me (see my post history). The information landscape in America is segmented, and works to keep the Big Picture out the frame. To quote myself:
- No real journalism, instead, career in media house depend on commercial ownership. Narratives tailored to segment, but no deep and critical analysis.
- "Let us talk about the tariffs today, they make zero economic sense"
- "I think what he meant is..."
- "Of course this is not entirely correct, but..."
- "President Trump has said.."
- "Rubio did a press conference today"
- Only drama, never the Big Picture.
- Elections? According to the press, those are just
- The latest polls!
- Repeat marketing from spin doctors at affiliated media houses
- "Debate" = Reality TV, scores are given on wit and emotional play
As an English speaker, you have one option and that is to read The Guardian.
Perfect exmple of the "one-deep" conservative response.
PP is looking for a pattern, finding, and abstaining from questioning or contextualizing it:
Engaging only with the first or most obvious layer of an issue—never going deeper into context, nuance, or systemic causes.
The quickest counterexample that comes to mind is Elizabeth Warren's Consumer Financial Protection Bureau. It has returned billions to American citizens.
I'm gonna have to stop engaging with you here if you start a comment by accusing someone to be a conservative.
If your first reaction is putting people into political/ideological camps in order to make their arguments weaker and easier to attack form a holier than though political/ideological angle, it's game over for me as I like to judge actions objectively based on the outcomes, not conservative vs democrat, left vs right, etc. since corruption and incompetence is colorblind.
I don't care which side of the political isle did what, I'm pointing at the systemic failures of the entire system built like a house of cards by all political parties, which collapsed as no thought was put into building it, and only chased short term profits at the expense of long term security. Trying to finger point a single political side only detracts from the issue which is the classic "divide and conquer" tactic politicians have been using to deflect blame and get away with it.
It is damningly simple, the root cause beneath far too many issues our advanced civilization faces: we have a global adult immaturity issue, species wide. The leaders that are crony capitalist and widely populist are in truth terribly immature public figures. Our incredibly short sighted (also an immature behavior) news and analyst media pretends to be adult while never really having any solutions that are not plain school yard bullying and tribe glorifying. And the public is only allowed outsider fringe opportunities to include their voice in these public non-debates. We do not produce adults anymore, we produce a civilization of Lindsay Lohans that think they are adult men and women.
If capitalism is allowed to operate without regulation, it corrodes.
If government is allowed to operate without regulation, it corrodes.
The pattern is clear. Unchecked power imbalances are bad for everyone, but the folks at the top of a power imbalance generally advocate for it, and change the environment to ensure their power and reduce everyone else.
What is that aspect of humanity that causes unchecked power to imbalance anyone and everyone? I'm saying it is unchecked immaturity. Recognition is step one. If the species identifies en mass there is an unchecked immaturity issue in adults, a huge amount of it will evaporate, and people will be given an excuse to start calling other adults on their immaturity. Harsh, but necessary as the immature are actively justifying destroying people all over the place.
Let's say you're right and people's immaturity immaturity is the issue.
The problem is, if you try to check people's immaturity and call it out, you get labeled a bigot, a fascist, or a $fobe.
So people's immaturity is a consequence of the modern toxic positivity and cancel culture the west has bred where you aren't allowed to say anything that might hurt someone's feelings, so people grow up in a bubble of fakeness that's detached from real world issues.
You're pointing out the end effect but not the cause that has led to that.
I'm trying to create a recognition of immaturity as an adult problem issue, and if that recognition takes place then society will generally recognize the issue, and that becomes internalized as an issue people understand.
The goal is not to call people out, the goal is recognition as a real, active issue at the root of a lot of public figure behavior. Those behaviors need to be called out, and those public figures shamed for their immature behaviors and immature opinions - which non-public figures then mimic in ordinary life. Which is an immaturity that I do not expect to be called out, which sound like you're focusing.
Beneath the immature world view and attitude is self deception, a far harder issue to call out. That self deception is caused by religious claims of answers to unanswerable questions. To accept an unanswerable question's "answer" from another is a self deception, driven by anxiety and fear. Life has uncomfortable unanswerable questions, and facing those unanswerable questions is a critical part of becoming mature - there are no answers to these questions about what happens or if there is an afterlife. By supplying answers to these critically unanswerable questions, religions create immature individuals that are in fact trapped within the cult of that religion's reasoning, which tends to be terribly immature in far too many logical manners. Then you get morons.
>I'm trying to create a recognition of immaturity as an adult problem issue
Adults don't just spawn into the world like characters in a video game. They're raised and educated into adulthood by the previous generation parents and political regimes. So if you want to point the finger for the issue with current generation, point it at those who raised and cared for them, as it was their job.
>and if that recognition takes place then society will generally recognize the issue, and that becomes internalized as an issue people understand.
The issue with your logic is that you assume society can recognize issues and acts rational to issues, when in fact it does not.
Society selectively chooses what it recognizes as issues, based on emotional manipulation and tribal behavior.
It is also the job of an individual. Immaturity is a choice. A choice to be adult or not to be an adult, and to pretend one is an adult when they are not is also immature. It's a vicious cycle each individual is in full control, despite their awareness of it.
Ah yes, great strategy. After they've been fucked over by a generation of bad parenting, bad governing, bad education and bad economics, go and tell them it's their fault and how they should pull themselves up by their bootstraps.
What could go wrong? I'm sure they'll vote rationally and responsibly and not in a vindictive way to watch the system burn to the ground. /s
“A society grows great when old men plant trees in whose shade they shall never sit.” — Greek Proverb
What our society did instead was cut down the tree to save money on upkeep and increase the value of their property. Sorry, but you reap what you sow.
Of course children will react with emotion, which is why the only alternative is to treat them as an adult. Point out they can end the cycles they were born into by identification and effort. There is no other way, it cannot be done for them.
Germany had with under the best deal for gas possible with Russia, I don’t understand the sentiment calling it a vulnerability. There is still a working pipeline available and Russia stated clearly if would continue delivering gas, if Germany wants to.
Except what Russia states and what Russia does are only aligned when it serves Russia. Russia stopped delivering gas through NordStream 1. After that, Germany took note of the danger and decided it would do better without that dependency.
> Germany took note of the danger and decided it would do better without that dependency.
So they just swapped dependencies. And it's not that the new dependency will have no strings attached.
Diversifying while keeping russian energy in the loop, as part of a risk-management strategy, would make more sense. Completely cutting off russian energy just gives more bargaining power to their new energy provider.
If we put half the effort into shoring up our institutions and reinforcing our shared norms and cooperative values as we are into "de-risking" everything, right now, and all at once, we'd all be in a much better place. Overnight we all just accepted that this new transactional, mercantile, hostile mentality was the way of things and the only way it can be. This is a self-fulfilling fatalistic prophecy and is going to move us backwards into a much worse, less prosperous world, empowering the bullies and the tyrants even more.
Greed got us here. There's a rules based world possible where Russia sells gas to Germany. Russia did not transform from an free and democratic society with respect for human rights and the international community into an authoritarian dictatorship overnight; we turned a blind eye to this when it suited our short term economic needs and that is how we allow ourselves to sleepwalk into the situation we are now. Had we held first to our principles we'd have either had the impact the neoliberal trade focused policies were supposed to eventually deliver or at the very least not ended up with dependencies that gave such governments leverage and eventually blow up in our faces. Had we instead put human rights first and foremost we would not have created and empowered these monsters.
Same thing with Trump's reelection in the US. By all rights in a functioning democracy Trump should be sitting in jail right now along with the January 6th insurrectionists. The Biden administration had 4 years to prosecute, but felt it was not politically expedient to do so. Likewise what is left of the GOP within the republican caucus right now faces a similar choice between short term benefits and upholding the principles which nearly everyone in congress and even the Trump administration has previously claimed they would uphold.
> There is still a working pipeline available and Russia stated clearly if would continue delivering gas, if Germany wants to.
You conveniently leave out that minor detail that it was RUSSIA who stopped the gas.
Germany tried hard to keep it going, even making a sanction-exemption or a Siemens turbine repaired in Canada, which according to Russia was needed. Only that when they were to receive it nothing happened, gas stopped anyway.
Nordstream 1 which had if I recall correctly one working turbine left and went into inspection during which an oil spill was noticed and the restart of the service was postponed. Shortly after Nordstream 1 Pipeline A + B and Nordstream 2 Pipeline A was been blown up.
It’s up to debate if the oil spill which was uncovered during the inspection which postponed the gas delivery was a political move.
The turbine, which underlies sanctions, should have been still in transit during that time and even if delivered useless.
There is still Nordstream 2 Pipeline B intact available to deliver gas and it uses Russian made turbines compared to Nordstream 1.
The whole discussion is very special to say the least if you leave out that some adversary blow up the infrastructure.
I'm German, I followed those developments closely at the time. Russia refused to deliver gas! The blowing up of the pipes happened quite some time after that!
That shows that Russia prepared for using gas as an economic weapon against Germany especially well before they even started the war.
From the Zeit article:
German
> "Die Gasflüsse über die deutschen Grenzen sind unüblich niedrig für diese Jahreszeit - mit Ausnahme von Nord Stream 1, die sind konstant hoch", sagt Fabian Huneke. Es sei verwunderlich, dass vor dem Hintergrund der hohen Preise und der hohen Nachfrage die Gaslieferkapazitäten Richtung Europa so wenig genutzt würden. "Wenn Gazprom sich marktrational verhalten würde, würden sie die Gaslieferungen nach Europa auch durch die Pipelines, die durch Belarus und die Ukraine führen, verstärken." Den Grund für dieses Verhalten sieht der Energiemarktexperte in der Ukraine-Krise.
English, translated by Google
> "The gas flows across the German borders are unusually low for this time of year - with the exception of Nord Stream 1, which are consistently high," says Fabian Huneke. It is surprising that, given the high prices and high demand, the gas delivery capacities to Europe are so little used. "If Gazprom behaved in a market-rational manner, they would also increase gas supplies to Europe through the pipelines that run through Belarus and Ukraine." The energy market expert sees the reason for this behavior in the Ukraine crisis.
The transport of the turbine was accompanied by sanctions and each party didn’t wanted to get punished, awaiting exemption documents for delivery. As the article already states in the headline and further acknowledges in the content Russia was not refusing to get their turbine back but waiting for documents themselves which the article beautifully conceals with the little word ‘apparently’.
The unusual low gas storage reserves at the beginning of the year 2022 in Germany with 45% compared to usual 75% while Nordstream 1 is delivering at full capacity could be related to the sanctions which lead Poland to stop transit through the Jamal pipeline and other transit routes through Ukraine and possibly gas market trade activities. Having just the ‘economic weapon’ argument is lacking, especially in regard that Russian gas is still to today reaching Germany and it is in the interest of Russia to deliver.
Tangentially... how did the German name of the city/region get into _that_ form? Is it a loan from English?? Germany and Russia have been closely entwined for centuries.
Wikipedia has a comment which appears to make no sense:
> The [old] form Moskovĭ has left traces in other languages, including English: Moscow; German: Moskau; French: Moscou; Portuguese: Moscou, Moscovo; and Spanish: Moscú.
But all of the older forms include a /v/. How did that drop out of every language except Portuguese?
(There is an English term Muscovy for the region, but wiktionary suggests that it derives from the formal name given to the region in international Latin rather than deriving from Russian. In that case, a /w/ would also generate a letter V, so there's no explanatory power.)
U, v and w are all derived from the same letter v, for which no distinction existed in latin (same for i, j and y).
Apparently, when different languages started to make the distinction, they picked a different letter combination: ov, ou, ow, au, ú, etc. probably depending on the local way of pronouncing the word.
Same for latin ivvenis, modernized to juvenis, which gave young, jeune, jung, joven, etc.
The letters "U", "V", and "W" are all derived from the same letter, the Latin "V". The sounds /u/, /v/, and /w/ are different.
We're talking about a period many centuries after Latin phonology might have been relevant. The word doesn't come from Latin. Old English has no confusion between [v] and [w] to begin with; [w] is part of the phoneme /w/ and [v] is part of the phoneme /f/. In Middle English there's a distinction between /f/ and /v/, where we see French-derived words like village and vine distinguished from English-derived words like fill and fire, and from French-derived words like fine.
So what happened?
> Same for latin ivvenis, modernized to juvenis, which gave young, jeune, jung, joven, etc.
Please don't just invent things that sound good to you. Young and (German, I assume) jung don't come from Latin either.
> U, v and w are all derived from the same letter v, for which no distinction existed in latin (same for i, j and y).
Again, please don't just make up random non-facts. Latin has no letter J. It does recognize Y, as the Greek letter upsilon, which it distinguishes from all Latin vowels. The fact that Romance languages name "Y" the "Greek I" should have been a hint of this. You can hardly read any Latin that mentions Greeks without running into it; compare Pyramus, Thucydides.
Except that Russia did not deliver (not any meaningful amount anyways), when the pipelines were still intact. And yes, they pretended to be willing, firing off a series of excuses sufficiently transparent to make it clear between the lines that it's a demonstration of power. Get your history straight: "Russia stated clearly if would continue" has between zero and negative value.
>I don’t understand the sentiment calling it a vulnerability
- You're Germany.
- You join NATO for protection from Russia, an actor with a long history of military aggression[1]
- Your export economy is based on manufacturing.
- The energy driving your manufacturing sector is ~60% cheap gas from Russia, your military aggressive partner.
- Russia invades Georgia in 2008 and Ukraine in 2014 to no ones surprise
- Leaders of USA and Eastern Europe warn you of Russia's influence on your economy
- You ignore all this and build another gas pipeline from Russia
- You are surprised Russia invades Ukraine(again) and gas sanctions cripple your manufacturing economy
MFW German leaders and HN commenters see no vulnerability in this.
Someone please stop the planet, I wish to get off, my sanity can't handle this level of stupidity anymore.
> Someone please stop the planet, I wish to get off, my sanity can't handle this level of stupidity anymore.
News from an American here, on an antidepressant and deathly fat from stress eating:
I’m worried about the eventual welfare of those protesting. I’m hearing that people of color are being told by their pastor to stay home rather than protest so as not to risk being used as scapegoats.
My family and friends are divided and still dividing over politics. I recently was crazily ranted to by big-personality entrepreneur immigrant that told me his story of how easy it was to come to the states, rags-to-riches, and how they were supporter of the administration because “they don’t want to pay taxes for illegals”. Part of the half of the U.S. that supports the administration isn’t just brainwashed, but has a very strong, angry, and desperate look, and the other part says “just wait four years and it will be over”, but it won’t; before the election, this party used gerrymandering and legal action to ensure that election, then post-election replaced election officials and many government officials.
The DOE is claiming anti-semitism and the need to have viewpoint diversity to deny funding to schools that are known for their open viewpoints.
And yet somehow I’m still surprised when they kill the CVE program.
It’s an ever-escalating circus of chaos, because our administration thinks this was needed to ensure U.S. interests, because those vulnerable in the U.S. were manipulated by outside actors and internal power-hungry politicians and zealots, and all is spun to just feed into the chaotic nationalism that is trying to one-up every other dictator that has ever lived.
To top all of this off, AI, which I use daily, will take my job before I retire, and I have no backup plan.
Despite all of this, I have the will to live, to support those whom I love (even the crazy ones), and to try to make the world better. I continue to pray for direction on all of this.
oh but you forgot the mandatory time before they even start considering the tender.
looking at average speed of bureaucracy in EU it will take roughly a year to set date for a meeting that will set the date for actual meeting which will decide if this will go forward or not....
(if you think i'm joking - i'm basing this on proposed EU initiative for nuclear power which started with setting a date of meeting to setup a meeting to draft an agenda)
I know that they are a 501(c)3, but they have significant revenue and intellectual property, so in order to do the lift and shift, there would need to be some money changing hands to accomplish it. Not only that, but being owned by the EU gives the ability for MITRE employees to have the option to immigrate to the EU to protect against any retaliation.
I cannot believe I am typing that second sentence, but here we are.
> Not only that, but being owned by the EU gives the ability for MITRE employees to have the option to immigrate to the EU to protect against any retaliation.
According to which rule would "owning by the EU" result in an option to immigrate? Immigration is handled on a per country basis. I don't see how the EU provide such an option.
The EU has agreed upon programs in order to bring in, through an immigration policy, high skilled persons from non-member states. More importantly, working within the member nations, as to which member nation would want MITRE to be located within their borders, is not something that is a hard sell given that it has economic advantages for whichever state(s) onboard MITRE.
> The EU has agreed upon programs in order to bring in, through an immigration policy, high skilled persons from non-member states.
Where in this is the option that the EU provides an option to immigrate because the EU owns something?
I'm very well aware of knowledge workers. It's not something the EU can provide as an option. What you linked to is the legal framework around how EU members can provide such a thing.
That still leaves decisions on who to admit to states. As far as I can see its main effect is to allow people admitted to one country as highly skilled to travel to (not live in) other countries?
I think all the big companies that owe their ongoing business should band together and fund it. No way an organization like this should rely on just one sponsor.
Non-profit means (in this case) payed by somebody who does not have anything to say about the transaction. It would be better to pay for it so that people who are interested in this subject have a say.
This would be hilarious. That would be a good thumb in the eye to the current administration who complained long and loud about how Obama let ICANN leave US possession. Just imagine the campaign commercials in 2026,
>The POTUS transferred our cyber defenses to the EU
Well, that's kind of the point? The current administration doesn't care about cyber defense, any less than it cares about protecting the environment, protecting consumers, having top-notch universities and research, foreign aid etc. etc. Actually, it takes pride in not caring about all of these things.
My guess is that they feel they are supplying something the whole world is benefiting from, and they believe that unfair.
That ignores the fact that the US benefits immensely from this, and that they benefit domestically from providing that benefit more widely by getting a lot of free contributions from the outside. But the US foots the bill of those who do get payed, so its unfair...
Its a bit like when you are a two-bit loser but have a private island where you can do whatever you like, and invite every celebrity you can find over to party every weekend, then start complaining that they haven't paid any of the island running costs and that they are all spongers because you are the main attraction of the island parties.
I find your analogy to be poor: is someone owning a private island and familiar with lots of celebrities a loser? I'd very much like to be such a "loser".
Another analogy: my friends and I often eat at the restaurant I own, and occasionally, I pick the tab. I complained angrily about it, and now they want to try out other restaurants or dine at home.
And at the best restaurants! And I get to choose the restaurant! And choose when we eat! And pick the appetizers, drinks, entrees, and desert!
So instead I will allow myself to be robbed and we'll all share the cost of a low-key restuarant. Or maybe let's charge each other to eat together, yeah!
> The current administration doesn't care about cyber defense, any less than it cares about protecting the environment
On the contrary, I would argue that they deeply care about the environment. The REAL point of all those tit-for-tat tariffs with China including with small mail/packages are to drastically cut cargo/shipping emissions. The threatening of annexation of Canada? That was really to get ~70% reduction in air passenger traffic BECAUSE they care about the environment. Same with creating a few high profile border horror story incidents against nationals from allied countries. The real point of it? Reduce transoceanic air passenger loads and save the environment. /s
Yes, maybe reach out to Michiel Leenaars from the NLNet foundation. But IIRC NLNet mostly funds shorter development tracks, not ongoing upkeep/maintenance.
The main costs definitely not hosting and can be quite significant. MITRE had $2.37B revenue in 2023, most if it contributions. I don't know how much of it can be attributed to the CVE, but I assume it's not an insignificant part of it: https://projects.propublica.org/nonprofits/organizations/422...
I agree with you there. Before CISA got sacked / taken down, they were working together with the BSI and other CERT agencies on a vulnerability exchange format.
This might be the optimum time to implement CSAF and to lead by example when it comes to vulnerability disclosures.
We should host it and collect membership fee from people who need this data. This way we can make it resilient against lack of government support. I would love to pay 5-10EUR/month to use such a service.
I would email someone like Patch My PC they seem good stewards of stuff open source from my vague looking and they are good people. They may just host a clone of it that's open.
(Spain, doing storage and web hosting)
What usually worries me the most is the administrative or management part, which I don't know how big would be for this project...
The European, GDPR compliant subnet of the Internet Computer could suit your needs. The app would be decentralized out of the box and it can't be shut down by a single entity like a traditional cloud provider or nation state. Hosting 100GB costs about 500$ per year [0]. This is not a traditional hosting provider, it's a decentralized cloud. Reach out on the forum [1] or to me if this sounds like a good fit to you (I think it does, from your list of requirements).
As mentioned in the response to the sibling, I am not just talking about hosting the data, but also running the app. Ofc, with a lot of traffic the running costs would increase.
The reason for the higher price is that both data and running software is redundant and decentralized by design - no need to configure anything.
Seems way overkill & unnecessary. Wouldn't the e.V. (foundation) especially with FOSS backend/frontend already ensure continued operation? Also if it's about redudancy/resilience it seems like good ol' torrent/ipfs or even a dedicated dht (if you really want to have fast updated content) would be much more efficient.
That phrase does not address where and how to host data and run software, and while I think an e.V. would be a great idea, it also does doesn't address it. So these concerns seem orthogonal to my input.
The IC Protocol is indeed about redundancy and resilience, but also about sovereignty and security, and it does not just host data (like torrents) but also runs software in a verifiable way (in particular, for every message you get from a dapp on the ICP, you get a certificate that proves that the majority of nodes in the subnet agree on the result).
In a nutshell, it's a platform that gives you many guarantees (security, redundancy, sovereignty) out of the box - as opposed to classical solutions which have to be composed of many different building blocks that need to be orchestrated to work together.
> runs software in a verifiable way (in particular, for every message you get from a dapp on the ICP, you get a certificate that proves that the majority of nodes in the subnet agree on the result).
There is no need for this though, by it's very nature CVE services are "authorities", that distribute fairly simple data. Also if it costs 500$ to keep it online it's not really giving you much more resilience than regular multi-node hosting and significantly less than torrenting which is effectively free for many volunteers.
Currently hosting costs are unclear, but it should be doable if we offer API access for like 5 bucks / month for private and 100 / month for corporate or similar.
Already did a backup of the NVD in the last couple hours, currently backing up the security trackers and OVAL feeds.
Gonna need some sleep now, it's morning again.
My project criteria:
- hosting within the EU
- must have a copyleft license (AGPL)
- must have open source backend and frontend
- dataset size is around 90-148 GB (compressed vs uncompressed)
- ideally an e.V. for managing funds and costs, so it can survive me
- already built my vulnerability scraper in Go, would contribute it under AGPL
- already built all schema parsers, would contribute them also under AGPL
- backend and frontend needs to be built
- would make it prerendered, so that cves can be static HTML files that can be hosted on a CDN
- needs submission/PoC/advisory web forms and database/workflow for it
- data is accumulated into a JSON format (sources are mixed non standard formats for each security tracker. Enterprise distros use odata or oval for the most parts)
If you are interested, write me on linkedin.com/in/cookiengineer or here.