Re: Secunia illegal spam and advisory republication

[gboyce <gboyce () badbelly com>]

On Thu, 20 Apr 2006, n3td3v wrote:

> On 4/20/06, Morning Wood <se_cur_ity () hotmail com> wrote:
> > Since you are hellbent on leather here... your oh so loved Securityfocus /
> > Bugtraq
> > does the same thing. Many of my own advisories are put on Bugtraq without me
> > submitting directly. I guess http://www.osvdb.org is just as guilty? Perhaps
> > Milw0rm too?
>
> No, Mlw0rm tells you who discovered the vulnerability, as do other
> sites. Although Secunia tell you it was all their work. I bet you
> would be pretty pissed if you post one of your XSS or SQL injection,
> and it appears on the Secunia website the next day saying "Secunia
> FOUND". They are using the URL to get away with it and claim its their
> advisory as soon as its post to FD. Folks like HP advisories put a
> copyright notice at the bottom, but Secunia come along and reword the
> advisory and everything without persmisson. This isn't about just copy
> and pasting an advisory from a list and putting it on a website, this
> is about rewording and taking credit for other peoples work.

Here's a snippet from a FAQ on copyright: (republishing an article on 
copyright?  Delicious!)

http://www.templetons.com/brad/copymyths.html

10) "They e-mailed me a copy, so I can post it."
    To have a copy is not to have the copyright. All the E-mail you write 
is copyrighted. However, E-mail is not, unless previously agreed, secret. 
So you can certainly report on what E-mail you are sent, and reveal what 
it says. You can even quote parts of it to demonstrate. Frankly, somebody 
who sues over an ordinary message would almost surely get no damages, 
because the message has no commercial value, but if you want to stay 
strictly in the law, you should ask first. On the other hand, don't go 
nuts if somebody posts E-mail you sent them. If it was an ordinary 
non-secret personal letter of minimal commercial value with no copyright 
notice (like 99.9% of all E-mail), you probably won't get any damages if 
you sue them. Note as well that, the law aside, keeping private 
correspondence private is a courtesy one should usually honour.

I believe the relevant section here is this:

"However, E-mail is not, unless previously agreed, secret. So you can 
certainly report on what E-mail you are sent, and reveal what it says. You 
can even quote parts of it to demonstrate."

If they are rewording advisories, then they are revealing information 
which was not secret.  Assuming that they are in fact claiming the 
discovery as their own (I haven't checked this myself), I'd consider that 
dishonest, but I don't know it would be considered a copyright violation. 
Perhaps plagiarism.

(Note, I am not a lawyer, and I'm probably full of misinformation)

--
Greg

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/