RE: [RFC] Vulnerability library proposal

["Rob Nicholls" <robert () robnicholls co uk>]

Hi Christian,

I was looking at http://osvdb.org/license which has the Open Source
Vulnerability Database Free License stated below the download links for
"CSV/MySQL Dumps/SQLite" and "XML Dumps".

I know Nmap has typically steered away from using a proper database in
favour of flat files, so I presume we'd be looking at CSV or XML if we did
decide to use local files.

Cheers,

Rob

-----Original Message-----
From: Christian Heinrich [mailto:christian.heinrich () cmlh id au] 
Sent: 09 August 2011 23:28
To: Rob Nicholls
Cc: nmap-dev
Subject: Re: [RFC] Vulnerability library proposal

Rob,

On Wed, Aug 10, 2011 at 1:29 AM, Rob Nicholls <robert () robnicholls co uk>
wrote:
> I would prefer that Nmap doesn't compete with OSVDB (or other 
> databases), but my concern with including or allowing people to use a 
> third party database such as OSVDB is that this could lead to licence 
> issues (unless we can agree an alternative license).
>
> OSVDB probably isn't too bad compared to other databases, but at a 
> glance I believe we'd have to retain the license agreement with the 
> database (if we distribute it), notify them if we plan on integrating 
> their database with Nmap (e.g. Nmap or an NSE script makes use of 
> either a local or external copy of the data) and we would need to 
> credit them in reports (all output
> formats?) and Nmap's execution (e.g. help) unless we negotiate an 
> alternative license. Given that other tools often rely on Nmap's 
> output, it's possible we might cause license issues for them (as the 
> free license is non-transferable).

I can't find a specific URL which addresses licensing but I did find
http://osvdb.org/faq#osvdb4sale and http://osvdb.org/integrators


--
Regards,
Christian Heinrich

http://cmlh.id.au/contact


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/