Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 24 Aug 2014 00:51:14 -0400
From: Rich Felker <dalias@...c.org>
To: oss-security@...ts.openwall.com
Subject: Re: Re: FYI, change to Secunia vuln db EULA

On Sat, Aug 23, 2014 at 09:49:03PM -0500, ken wrote:
> 
> I feel a need to clarify my previous email ...
> 
> Secunia obviously has an extremely useful and comprehensive
> vulnerability database.  All of their vulnerability mgmt, patch mgmt,
> and scanning products are excellent too.  The IT industry needs high
> quality vuln and patch mgmt solutions like this, and Secunia needs
> revenue so they can maintain and improve their products/solutions,
> conduct research, build new products, make a profit, etc.
> 
> There are some potentially adverse consequences to their decision to
> close their vulnerability database:
> 
> 1) All direct links to Secunia vuln db entries are effectively dead
> ends now ... unless the link clicker is a student, press, private
> person, hobby/non-commercial security researcher and gets "community"
> (free) access, OR is a non-profit organization, private company, or
> public authority/entity who has paid the annual fee[1] for the VIM
> product.  I imagine most people reading this email fall into the
> latter group, do not have access, and will need to pay for access.

Are you saying that the links go to a paywall now? Or simply that the
person who follows the link has some "obligation not to look" unless
they fall in one of the categories in the first group above? If what
you mean is the latter, then I think the issue only matters to parties
who are conducting large scale, programmatic access to their database.
Anyone is a "private person", and can certainly justify access to any
one record (or any reasonable amount of records) as a private person.
Only in the case of bulk automated access where it's clear that the
access is being performed on someone else's behalf or to scrape the
data, etc. is there any question.

> 2) Vendors can apparently no longer review the Secunia vuln db so they
> can submit updates and corrections (unless the vendor has purchased
> the VIM product?).  Will this result in Secunia vuln db info becoming
> less accurate and up-to-date?

Directly, probably not. If they decide to be jerks about it though,
people might just get fed up with dealing with them and not bother to
contribute.

> 3) If you maintain a public or private vulnerability database, or
> vulnerability website, you will no longer be able to effectively
> reference or cross-reference the Secunia vuln db, unless you pay for
> access.  How will this impact OSVDB, NVD, CVE, IAVM, PacketStorm, etc?

At least in the US and most jurisdictions I'm aware of, copyright has
no bearing on your right to link, so I don't see this having any
effect.

> Depending on your interests in vulnerabilities and role(s) in the
> security industry, you may see other consequences.
> 
> 
> Bottom line for me is that I had been using the public, freely
> available Secunia vuln info every day for over 10 years, and I had
> been regularly submitting vuln info/updates/corrections.  I'm
> currently not using it at all (in compliance with their EULA).  If
> the VIM cost fits into my budget, then I'll definitely purchase it.

In my opinion, there's something wrong with feeling obligated to pay
to access something you contributed to building with the understanding
that you were building a community resource, and even more wrong with
taking data built for you by a community and trying to restrict that
community's access to it.

Rich

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.