OSVDB – How many people work on this project?

[This was originally published on the OSVDB blog.]

We are occasionally asked how many people work on OSVDB. This question comes from those familiar with the project, and potential customers of our vulnerability intelligence feed. Back in the day, I had no problem answering it quickly and honestly. For years we limped along with one “full time” (unpaid volunteer) and a couple part-timers (unpaid volunteers), where those terms were strictly based on the hours worked. Since the start of 2012 though, we have had actual full-timers doing daily work on the project. This comes through the sponsorship provided by Risk Based Security (RBS), who also provided us with a good amount of developer time and hosting resources. Note that we are also frequently asked how much data comes from the community, to which we giggle and answer “virtually none” (less than 0.01%).

These days however, I don’t like to answer that question because it frequently seems to be a recipe for critique. For example, on one potential client call we were asked how many employees RBS had working on the offering. I answered honestly, that it was only three at time, because that was technically true. That didn’t represent the number of bodies as one was full-time but not RBS, and two were not full time. Before that could be qualified the potential client scoffed loudly, “there is no way you do that much with so few people”. Despite explaining that we had more than three people, I simply offered for them to enjoy a 30 day free trial of our data feed. Let the data answer his question.

To this day, if we say we have #lownumber, we get the response above. If we say we have #highnumber that includes part timers and drive-by employees (that are not tasked with this work but can dabble if they like), then we face criticism that we don’t output enough. Yes, despite us aggregating and producing over twice as much content as any of our competitors, we face that silly opinion. The number of warm bodies also doesn’t speak to the skill level of everyone involved. Two of our full time workers (one paid, one unpaid) have extensive history managing vulnerability databases and have continually evolved the offerings over the years. While most VDBs look the same as they did 10 years ago, OSVDB has done a lot to aggregate more data and more meta-data about each vulnerability than anyone else. We have been ahead of the curve at almost every turn, understanding and adapting to the challenges and pitfalls of VDBs.

So to officially answer the question, how many people work on this project? We have just enough. We make sure that we have the appropriate resources to provide the services offered. When we get more customers, we’ll hire more people to take on the myriad of additional projects and data aggregation we have wanted to do for years. Data that we feel is interesting and relevant, but no one is asking for yet. Likely because they haven’t thought of it, or haven’t realized the value of it. We have a lot more in store, and it is coming sooner than later now that we have the full support of RBS. If you are using any other vulnerability intelligence feed, it is time to consider the alternative.

An Open Letter to @Twitter

Dear Twitter,

You run one of the largest and most visible social network sites on the Internet, highly visible to millions that don’t even have Internet access due to media saturation and today’s lexicon. And you suck at it. Despite your recent IPO and suggestions that you finally figured out how to make money off this beast you have created, you still don’t seem to understand the first thing about the monster you created. Namely, how your users actually use the service. Your overall user experience (UX) is horrible. In no particular order, a few of the incidents and poor decisions that support my case:

  • The dreaded “Twitter unfollow bug“. This has been plaguing your platform for many years, and you still have yet to solve it. Worse, you default to sending us junk mail asking if we know people, trying to get us to follow more people. These two things are at odds with each other.
  • When you finally made it easy for a user to download an archive of their tweets, you sent a URL that was broken. Only a fraction of your users could see that you were HTML encoding an & sign in one place, and manually fixing it would allow the download. The fact you missed this shows that you essentially have no Quality Assurance (QA) testing in house.
  • Your emails are annoying. I specifically opted not to receive them in the past, only to have you revert my decision, the subjects are laughable. Not only are they written with no thought to how they appear outside your world, you seemingly can’t figure out the purpose of a profile or make brain-dead assumptions about all users.
  • Subject: Do you know cyberwar on Twitter? <– errr…
    Subject: Twitter followers want to purchase from your business! <– hot damn. now I need a business plan…

  • Twitter on a Tab? No thanks. When opting not to receive audible notifications, your software ignored that and kept dinging at me happily. No means no. Again, in your attempt to get more people using your service, you completely forget the basics of the UX and that all software should receive some QA time.
  • One of the most frustrating problems recently, is your constantly changing decision on how to handle URLs in direct messages. One day, they aren’t allowed without warning. The next day they work again. Days later, now I can’t send the same URL to the same person because I have “already said that”, even when the accompanying text is different. News flash: some web sites do not have static content on their front page. If you need an example, check out this web page: twitter.com. If you can’t figure out that I am friends with someone via the mutual follow, or the fact we have conversed via DM for months (or years in some cases) and that we may want to send URLs to each other, just get out of this business.
  • Your inability to fight spam on your service has moved beyond a running joke and on to the “sad” category. You still cannot detect profiles that are obviously spam and have every indication of being easily pegged by a half-way intelligent algorithm. At least twice, you have identified Twitpic as a “hostile” service, calling it “malware” once. All the while allowing these spam profiles to send sketchy links.

I fully understand that the size of your network makes some of this challenging. But this is also on you, because you opted not to address these problems years ago when it was more manageable. Instead of fixing these recurring nuisances with a solution that scales, you let them languish until they are beasts that are more difficult to vanquish. The list above is just the ones that come to mind quickly this morning.

In summary, you suck as social media. You don’t care about your users beyond figuring a way to profit directly off of them. In case it has slipped your mind, you need us. We are your business foundation. Figure a way to profit off of us! Just do so while occasionally paying attention to your user base please.

Sincerely,
@attritionorg