Date: Sun, 24 Aug 2014 00:51:14 -0400 From: Rich Felker <dalias@...c.org> To: oss-security@...ts.openwall.com Subject: Re: Re: FYI, change to Secunia vuln db EULA On Sat, Aug 23, 2014 at 09:49:03PM -0500, ken wrote: > > I feel a need to clarify my previous email ... > > Secunia obviously has an extremely useful and comprehensive > vulnerability database. All of their vulnerability mgmt, patch mgmt, > and scanning products are excellent too. The IT industry needs high > quality vuln and patch mgmt solutions like this, and Secunia needs > revenue so they can maintain and improve their products/solutions, > conduct research, build new products, make a profit, etc. > > There are some potentially adverse consequences to their decision to > close their vulnerability database: > > 1) All direct links to Secunia vuln db entries are effectively dead > ends now ... unless the link clicker is a student, press, private > person, hobby/non-commercial security researcher and gets "community" > (free) access, OR is a non-profit organization, private company, or > public authority/entity who has paid the annual fee for the VIM > product. I imagine most people reading this email fall into the > latter group, do not have access, and will need to pay for access. Are you saying that the links go to a paywall now? Or simply that the person who follows the link has some "obligation not to look" unless they fall in one of the categories in the first group above? If what you mean is the latter, then I think the issue only matters to parties who are conducting large scale, programmatic access to their database. Anyone is a "private person", and can certainly justify access to any one record (or any reasonable amount of records) as a private person. Only in the case of bulk automated access where it's clear that the access is being performed on someone else's behalf or to scrape the data, etc. is there any question. > 2) Vendors can apparently no longer review the Secunia vuln db so they > can submit updates and corrections (unless the vendor has purchased > the VIM product?). Will this result in Secunia vuln db info becoming > less accurate and up-to-date? Directly, probably not. If they decide to be jerks about it though, people might just get fed up with dealing with them and not bother to contribute. > 3) If you maintain a public or private vulnerability database, or > vulnerability website, you will no longer be able to effectively > reference or cross-reference the Secunia vuln db, unless you pay for > access. How will this impact OSVDB, NVD, CVE, IAVM, PacketStorm, etc? At least in the US and most jurisdictions I'm aware of, copyright has no bearing on your right to link, so I don't see this having any effect. > Depending on your interests in vulnerabilities and role(s) in the > security industry, you may see other consequences. > > > Bottom line for me is that I had been using the public, freely > available Secunia vuln info every day for over 10 years, and I had > been regularly submitting vuln info/updates/corrections. I'm > currently not using it at all (in compliance with their EULA). If > the VIM cost fits into my budget, then I'll definitely purchase it. In my opinion, there's something wrong with feeling obligated to pay to access something you contributed to building with the understanding that you were building a community resource, and even more wrong with taking data built for you by a community and trying to restrict that community's access to it. Rich
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ