Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Symantec Buys SecurityFocus, among others....
From: full-disclosure () lists netsys com (Chris Wysopal)
Date: Fri, 19 Jul 2002 15:10:26 +0000 (GMT)

On Thu, 18 Jul 2002, Jay D. Dyson wrote:

      Perhaps the best way to beat these cash hounds at their own game
is to start using a strictly not-for-profit licensing on all released
advisories and proof-of-concept code which stipulates that for-profit
companies may not use said information in any way.

Even if you put a copyright notice on your advisories and give permission
for non-profits to redistribute, the for-profits will just reword the
information for their database.  It usually takes several days to research
and create an advisory and many hours of working with the vendor to get
them to fix it.  The vuln reporter gets some street cred.  The for-profit
retypes the information and probably makes a few thousand dollars PER
ADVISORY.  And several for-profits are doing this.

      Let's face it: the for-profit companies have been leeching off the
community for years and giving nothing back save for sponsorship of key
escrow, further draconian legislation, and advocacy of a security cabal
(which they would control) that would take free information and bundle it
as a pay-for product/service.

The only way to stop the leeching is to have a free vulnerability database.
There could be a site where vuln reporters could enter the information into
the database themselves.  This database would always be the most up to date
and the most accurate.  If there was a standardized vuln reporting format
perhaps the import to the databse could be automated.  Mirroring of the
database around the world would be encouraged.

I would love VulnWatch to be able to do this.  Any volunteers?

      Look, I have nothing against someone trying to make a buck.  That
is the cornerstone of the capitalist system.  What burns my biscuits is
that the monolithic security companies are not making this money off their
own efforts[1], but by leeching off the egalitarian contributions of those
who possess a skill set the businesses are not willing to pay for.

Agreed.  I have struggled with the model that exists for many years.  It
seems the only way to make money off of vuln information is to sell a
database and the people selling them do not pay the vulnerability
reporters for their effort. Let's face it.  There would be no security
information business without all the people donating their knowledge for

Of all the vuln database companies SecurityFocus has been the best at
giving back to the community and they say this won't change.  Even so a
completely non-corporate and free vuln database would be something good for
the community.


- -Jay

1.  About the only real effort I see from corporate security firms these
    days is whipping up FUD-filled press releases to scare the living
    bejeezus out of the masses about "cyber-terrorism" and other happy

  (    (                                                          _______
  ))   ))   .--"There's always time for a good cup of coffee"--.   >====<--.
C|~~|C|~~| (>------ Jay D. Dyson -- jdyson () treachery net ------<) |    = |-'
 `--' `--'  `-- I'll be diplomatic...when I run out of ammo. --'  `------'

Version: GnuPG v1.0.7 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.


Full-Disclosure - We believe in it.
Full-Disclosure () lists netsys com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]