Re: Re: FYI, change to Secunia vuln db EULA

[Rich Felker <dalias () libc org>]

On Sat, Aug 23, 2014 at 09:49:03PM -0500, ken wrote:
> I feel a need to clarify my previous email ...
>
> Secunia obviously has an extremely useful and comprehensive
> vulnerability database.  All of their vulnerability mgmt, patch mgmt,
> and scanning products are excellent too.  The IT industry needs high
> quality vuln and patch mgmt solutions like this, and Secunia needs
> revenue so they can maintain and improve their products/solutions,
> conduct research, build new products, make a profit, etc.
>
> There are some potentially adverse consequences to their decision to
> close their vulnerability database:
>
> 1) All direct links to Secunia vuln db entries are effectively dead
> ends now ... unless the link clicker is a student, press, private
> person, hobby/non-commercial security researcher and gets "community"
> (free) access, OR is a non-profit organization, private company, or
> public authority/entity who has paid the annual fee[1] for the VIM
> product.  I imagine most people reading this email fall into the
> latter group, do not have access, and will need to pay for access.

Are you saying that the links go to a paywall now? Or simply that the
person who follows the link has some "obligation not to look" unless
they fall in one of the categories in the first group above? If what
you mean is the latter, then I think the issue only matters to parties
who are conducting large scale, programmatic access to their database.
Anyone is a "private person", and can certainly justify access to any
one record (or any reasonable amount of records) as a private person.
Only in the case of bulk automated access where it's clear that the
access is being performed on someone else's behalf or to scrape the
data, etc. is there any question.

> 2) Vendors can apparently no longer review the Secunia vuln db so they
> can submit updates and corrections (unless the vendor has purchased
> the VIM product?).  Will this result in Secunia vuln db info becoming
> less accurate and up-to-date?

Directly, probably not. If they decide to be jerks about it though,
people might just get fed up with dealing with them and not bother to
contribute.

> 3) If you maintain a public or private vulnerability database, or
> vulnerability website, you will no longer be able to effectively
> reference or cross-reference the Secunia vuln db, unless you pay for
> access.  How will this impact OSVDB, NVD, CVE, IAVM, PacketStorm, etc?

At least in the US and most jurisdictions I'm aware of, copyright has
no bearing on your right to link, so I don't see this having any
effect.

> Depending on your interests in vulnerabilities and role(s) in the
> security industry, you may see other consequences.
>
>
> Bottom line for me is that I had been using the public, freely
> available Secunia vuln info every day for over 10 years, and I had
> been regularly submitting vuln info/updates/corrections.  I'm
> currently not using it at all (in compliance with their EULA).  If
> the VIM cost fits into my budget, then I'll definitely purchase it.

In my opinion, there's something wrong with feeling obligated to pay
to access something you contributed to building with the understanding
that you were building a community resource, and even more wrong with
taking data built for you by a community and trying to restrict that
community's access to it.

Rich