[VIM] Secunia has now put ALL vulnerability info behind login?

Williams, James K Ken.Williams at ca.com
Fri Aug 22 12:01:41 CDT 2014


Hey Steve,

We do not sell any vulnerability-related products or services, or maintain any vulnerability database, or scrape any VDBs.

My use is limited to manually researching vulnerabilities that directly affect CA products/networks.

We have no plans to hide security notices for our products behind a login, but I can understand why software vendors might wish to do so (and add an EULA), to prevent commercial VDBs and vulnerability intelligence products/services from using their product security notices and fix information for commercial purposes.

We may need to reconsider our policy of directly sharing product security notices with commercial VDBs and vulnerability intelligence products/services especially if they won't even allow us to see their entries for our products.  

Regards, 
Ken

-----Original Message-----
From: vim-bounces at attrition.org [mailto:vim-bounces at attrition.org] On Behalf Of Christey, Steven M.
Sent: Wednesday, April 30, 2014 6:35 PM
To: Vulnerability Information Managers
Subject: Re: [VIM] Secunia has now put ALL vulnerability info behind login?

Late Tuesday night, I made a direct inquiry to Secunia, since I also have questions about the EULA.  If CVE discovers a cross-reference through Secunia or integrates some description details, it seems it could be a violation.  I haven't heard back yet.

SecurityFocus, OSVDB, and now Secunia have all restricted access in one form or another.  While I recognize there are numerous reasons for doing so, hopefully this trend won't continue, and hopefully we VDB specialists can figure out the best model(s).

Scott and Ken - not to put you *too* much on the spot, but since your VDBs are closely attached to your products, I'm wondering if you have a different business model and less of an existential threat than the "vuln intelligence" VDBs do?

- Steve


>-----Original Message-----
>From: vim-bounces at attrition.org [mailto:vim-bounces at attrition.org] On
>Behalf Of Williams, James K
>Sent: Monday, April 28, 2014 12:30 PM
>To: Vulnerability Information Managers
>Subject: Re: [VIM] Secunia has now put ALL vulnerability info behind login?
>
>See sections 6.1 and 6.2 in the EULA on the Community Login signup page.
>https://secunia.com/community/profile
>Figuring out if your use constitutes commercial purposes is only half of
>your problem.
>
>All reference links to secunia.com are effectively dead now unless your
>site visitors have a Secunia account.
>
>Regards,
>Ken
>
>-----Original Message-----
>From: vim-bounces at attrition.org [mailto:vim-bounces at attrition.org] On
>Behalf Of security curmudgeon
>Sent: Monday, April 28, 2014 11:27 AM
>To: Vulnerability Information Managers
>Subject: Re: [VIM] Secunia has now put ALL vulnerability info behind login?
>Importance: High
>
>
>
>On Mon, 28 Apr 2014, Scott Moore wrote:
>
>: I wonder what constitutes commercial purposes?
>:
>: We reference them with a link to their website, and do not sell our
>: vulnerability data.
>
>Using a link to them as a cross-reference isn't "commercial".
>
>Pretty sure they are combatting the same thing OSVDB has for years, people
>using our entire entries, text and all, in products and services.



More information about the VIM mailing list