[VIM] Secunia has now put ALL vulnerability info behind login?

Kurt Seifried kseifried at redhat.com
Sat Aug 23 22:40:04 CDT 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 23/08/14 08:47 PM, ken wrote:
> 
> I feel a need to clarify my previous email ...
> 
> 1) All direct links to Secunia vuln db entries are effectively
> dead ends now ... unless the link clicker is a student, press,
> private person, hobby/non-commercial security researcher and gets
> "community" (free) access, OR is a non-profit organization, private
> company, or public authority/entity who has paid the annual fee[1]
> for the VIM product.  I imagine most people reading this email fall
> into the latter group, do not have access, and will need to pay for
> access.

Correct, this is a significant concern. Will Mitre remove the links?
Seems like the safest thing to do. Otherwise Mitre is implicitly
endorsing the Secunia EULA.

> 2) Vendors can apparently no longer review the Secunia vuln db so
> they can submit updates and corrections (unless the vendor has
> purchased the VIM product?).  Will this result in Secunia vuln db
> info becoming less accurate and up-to-date?

This is a concern to me. I suspect I can't (and won't) agree to the
EULA, it's to dangerous legally.

Story time: when I contracted for iDefense and iSIGHT partners almost
nobody would reply to my emails asking for more information. As soon
as I moved to Red Hat, bam, 100% reply rate, usually in <24 hours.

If you don't play nice with the community, chances are the community
won't play nice with you.

> 3) If you maintain a public or private vulnerability database, or 
> vulnerability website, you will no longer be able to effectively 
> reference or cross-reference the Secunia vuln db, unless you pay
> for access.  How will this impact OSVDB, NVD, CVE, IAVM,
> PacketStorm, etc?

That is a huge concern, luckily for Red Hat we try hard to play very
nice with the community, and we make our information very public (the
BZ's get unlocked, the RHSA's have the packages listed, basically
everything except reproducer code from us is public, and even then
we've had exceptions like heartbleed).

> Regards, Ken

- -- 
Kurt Seifried - Red Hat - Product Security Team (PST)
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJT+V6QAAoJEBYNRVNeJnmT95AQAMlslkJgUfqL5pIU/E8qlgX7
7NA3A9pig21Q6UVESUG85m5A6pO45ad+sVqAqlJE5irVIxH/SrnEqh6aw1xTAo57
g2qJ/+WSXREwQ/x/as5jUaIU0VVN9H5qsyfbDNYgNvATbrtuHjoBjKInJ2bRSFUU
aPGOg1vvOPZa1ZCX6i0yTYvOzlayKgDobKnSZ11hc/ZRinZPGP36lbwWOBHUsN2B
pUsKxs08jrcQoXpwmkZQ82C5ah9Eokr1Sq7DzEk5Jdgk2kbLKtQWqD2zQUIP9dXr
bk1ND3lIT4piGu7rC2pOm325E25GoyF3uzqyK8eDviaDsemvNzRtXT13LmrOn71J
vAfTlzy/zPKCxZ0EiXk6NkxUT9JT0jF74Lb74ZslotTSEqKOBiXU1xCN2lzSn+5R
Ksn7n3cAl8fUKKW7CqkpdeFsleSnDXQE+dDxCqfHXM3Ado/OIyK8Zcve1F3QvDxl
ndpdo378Zh+rTi1AF8X61B7m0rKUgfFLQAv5B0GO8uNtVhNIXVuVkz+VxohZJ+zR
PQbneSKjIjVShDI+6NSo5D+hcKeOrgPw26j+eLai8xIMrJO4hGp6YvWfkSzOCEer
1J+FW9ibt1WdbV6nQ9iUhr38R8+hgdsxKjSZI4tI5sFelAhlL0USn/2d5EYrAxbV
2/whPPiZ26cF43a9odXY
=4Q6I
-----END PGP SIGNATURE-----

More information about the VIM mailing list