mailing list archives
Re: Secunia illegal spam and advisory republication
From: gboyce <gboyce () badbelly com>
Date: Thu, 20 Apr 2006 15:48:40 -0400 (EDT)
On Thu, 20 Apr 2006, n3td3v wrote:
On 4/20/06, Morning Wood <se_cur_ity () hotmail com> wrote:
Since you are hellbent on leather here... your oh so loved Securityfocus /
does the same thing. Many of my own advisories are put on Bugtraq without me
submitting directly. I guess http://www.osvdb.org is just as guilty? Perhaps
No, Mlw0rm tells you who discovered the vulnerability, as do other
sites. Although Secunia tell you it was all their work. I bet you
would be pretty pissed if you post one of your XSS or SQL injection,
and it appears on the Secunia website the next day saying "Secunia
FOUND". They are using the URL to get away with it and claim its their
advisory as soon as its post to FD. Folks like HP advisories put a
copyright notice at the bottom, but Secunia come along and reword the
advisory and everything without persmisson. This isn't about just copy
and pasting an advisory from a list and putting it on a website, this
is about rewording and taking credit for other peoples work.
Here's a snippet from a FAQ on copyright: (republishing an article on
10) "They e-mailed me a copy, so I can post it."
To have a copy is not to have the copyright. All the E-mail you write
is copyrighted. However, E-mail is not, unless previously agreed, secret.
So you can certainly report on what E-mail you are sent, and reveal what
it says. You can even quote parts of it to demonstrate. Frankly, somebody
who sues over an ordinary message would almost surely get no damages,
because the message has no commercial value, but if you want to stay
strictly in the law, you should ask first. On the other hand, don't go
nuts if somebody posts E-mail you sent them. If it was an ordinary
non-secret personal letter of minimal commercial value with no copyright
notice (like 99.9% of all E-mail), you probably won't get any damages if
you sue them. Note as well that, the law aside, keeping private
correspondence private is a courtesy one should usually honour.
I believe the relevant section here is this:
"However, E-mail is not, unless previously agreed, secret. So you can
certainly report on what E-mail you are sent, and reveal what it says. You
can even quote parts of it to demonstrate."
If they are rewording advisories, then they are revealing information
which was not secret. Assuming that they are in fact claiming the
discovery as their own (I haven't checked this myself), I'd consider that
dishonest, but I don't know it would be considered a copyright violation.
(Note, I am not a lawyer, and I'm probably full of misinformation)
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/