Bugtraq mailing list archives
Summary: Copyright on Security advisories
From: aviram () JENIK COM (Aviram Jenik)
Date: Mon, 22 Feb 1999 20:43:24 +0200
I've got a lot of responses for my original post (seems like I'm not the only
one with that problem..)
Most of these responses were very informative, so I'll post a short summary.
It seems that the law agrees with common sense (or is it the other way
around?). It's all about "fair use" of published material.
Public security advisories aren't copyrighted against people quoting them,
paraphrasing or publishing them in the full ("fair" uses include commentary,
criticism, summarization, paraphrasing, and reports). Since the re-publishing
of those advisories is done for non-profit, this is no problem. Linking to
the original is common courtesy, but not necessary from a legal point of
view.
I guess the only "bad" use is taking the original advisory and selling it
under my own name..
Another question is using the exploit source code that is sometimes included
in those advisories. Since this code is published to the public in an aim
that it will be used by as many people as possible, it is okay to include it
when reporting about the exploit (as long as the code is not altered).
So, basically, if you're a good guy then you've got no problem ;-)
I also have to mention that I got many messages from people who think some of
the advisories are too much about "fame and glory". Though I think it's great
that commercial companies share their knowledge with the rest of the
community, they are clearly not doing so out of pure philanthropy. Therefore,
they can be a little nicer and tone down those disclaimers (though I'm sure
their attorneys think differently).
While I'm at it, I have to say that till this day I got no reply from ISS or
HERT (though the original post was mailed to them also). On the other hand,
someone from Microsoft (which is an example of a commercial company that has
*no* explicit copyright in their security advisories) immediately contacted
me to make sure MS alerts are okay.
So, Aleph - since this topic repeats once in a while, I hope this information
helps clear out some of the question marks.
I won't end with a disclaimer (though I think it's called for), but I think
you're all old enough to understand that if you're really not sure whether
you can use other people's material or not, you should get a real lawyer.
--
-------------------------
Aviram Jenik
"Addicted to Chaos"
-------------------------
Today's quote:
The most important things to do in this world are to get something
to eat, somthing to drink and somebody to love you.
- Brendan Behan, in "Weekend", 1968
Current thread:
- Re: Pro/wuFTPD DoS Ultor (Feb 13)
- <Possible follow-ups>
- Re: Pro/wuFTPD DoS ga (Feb 15)
- Re: Pro/wuFTPD DoS CyberPsychotic (Feb 17)
- Re: Pro/wuFTPD DoS CyberPsychotic (Feb 19)
- Re: Pro/wuFTPD DoS Chris Wedgwood (Feb 20)
- Process table attack (from RISKS Digest) Mark Boolootian (Feb 20)
- LSOF exploit c0nd0r (Feb 21)
- Re: Process table attack (from RISKS Digest) Olle Segerdahl,D (Feb 22)
- Re: Process table attack (from RISKS Digest) Jan B. Koum (Feb 22)
- ANNOUNCE: Net::RawIP 0.06 has been released Sergey V. Kolychev (Feb 22)
- Summary: Copyright on Security advisories Aviram Jenik (Feb 22)
- Re: Process table attack (from RISKS Digest) Dug Song (Feb 22)
- NetBus client 1.x overflow Daniel Rosowski (Feb 22)
- Re: Process table attack (from RISKS Digest) James Lockwood (Feb 22)
- Re: Process table attack (from RISKS Digest) Dirk Moerenhout (Feb 22)
- Re: Process table attack (from RISKS Digest) unknown () RIVERSTYX NET (Feb 22)
- Re: Process table attack (from RISKS Digest) Andrew Hobgood (Feb 22)
- Denial of service process table attacks John Conover (Feb 23)
- Group kmem exploitable? Oliver Xymoron (Feb 23)
- Re: Pro/wuFTPD DoS Alex Belits (Feb 21)
- Re: Pro/wuFTPD DoS Chris Wedgwood (Feb 20)
- ISS install.iss security hole Fyodor (Feb 20)