DOVES Access Policy
The DOVES database consists of three different views of the data:
- The vulnerabilities portion contains information
about system vulnerabilities.
Portions of this part of the database are on the web.
This data is either available elsewhere on the Internet or is
very widely known.
In some cases, we have sanitized it.
- The exploits portion contains attack tools or
descriptions of attacks.
This is not available on the web, even though many (most?) are
already available on the web elsewhere.
We don't want UC Davis to become known as a site
where you can download these tools!
(Besides,
the vulnerability entries tell how to check for the
vulnerability ....)
- The signatures portion contains traces of exploits,
including patterns for intrusion detection systems that match attacks.
Again,
this data is not available on the Internet.
Access to each of these portions are handled separately.
We distinguish the users who want access to DOVES:
- A researcher is one who needs a set of vulnerabilities
to conduct experiments or to validate (or refute) a hypothesis.
The end goal is knowledge,
and the data will not be used in a tool offered for sale.
- A developer is one who will use the data to develop commercial
products, but does not intend to impart the data itself to others.
- A vendor is one who will add the data to a commercial
product.
For example, an academic studying intrusion detection as part of a research
project would be a researcher.
A company that wishes to test a suite of intrusion detection techniques against
a set of vulnerabilities,
and develop scanners for those vulnerabilities the suite does not handle,
would be a developer.
A company that wishes to add signatures developed from the attack tools in
the exploits portion of the database would be a vendor.
The data in DOVES that is available on the web is free for use.
Additional data includes attack tools and some vulnerabilities that
we have elected not to make freely available (either because we
have been asked not to, or in our judgement they are better left
unpublicized).
This data is available to bona fide researchers to further their
work, providing the contributors agree to allow this more limited distribution.
In fairness to our sponsore,
if a developer or vendor wants access to enhance a product tha is (or will be)
sold,
we will ask them to make a contribution of some sort to the project.
If you are interested, please contact the
project administrator
and we'll be happy to talk to you about how to do this
and work out something both you and we are comfortable with.
Send email to
bishop@cs.ucdavis.edu.
Matt Bishop
Department of Computer Science
University of California at Davis
Davis, CA 95616-8562
Page last modified on 8/1/98