[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] A funny (but real) story for XMAS

To: "madsaxon" <madsaxon@direcway.com>, <full-disclosure@lists.netsys.com>
Subject: Re: [Full-Disclosure] A funny (but real) story for XMAS
From: "Kurt Seifried" <listuser@seifried.org>
Date: Tue, 16 Dec 2003 14:28:24 -0700

> The reason OSVDB isn't well populated yet is that each
> vulnerability has to be evaluated and written up afresh
> in order to avoid violating any existing DB's copyrights.
> That takes time.  If you want to shorten that time, go
> volunteer. :-)

I like the idea of osvdb, I have concerns about the execution. I tried to
read:

http://www.osvdb.org/terms-conditions.php

But after a few pages got tired of trying to figure out how all the various
loopholes and things like "We reserve the right, at our discretion, to
change, modify, add or remove portions of these terms periodically." will
interact. Then there is things like:

"You agree not to sell, resell or offer for any commercial purposes, any
portion of the Services, use of the Services or access to the Services."

So what happens if I reference an osvdb writeup in a commercial product, it
would seem even just using whatever identifier osvdb uses for an issue (the
name) would violate their terms of service.

While the osvdb claims they will use a license similar to the CPL (according
to http://www.osvdb.org/status.php/):

http://www.opensource.org/licenses/cpl.php

They then go on to say:

"Currently OSVDB is seeking legal aid to determine how to best reuse the
CPL, or draft a similar license. "

With all the above loopholes, and the uncertainty about the license and
conflicting license/terms of service/etc I have a feeling this company may
pull a CDDB (that is, let people enter stuff, and use it for free and then
yank it and go commercial). This is sponsored by two commercial companies
and let's face it, at the end of the day if it comes down to making an extra
buck, or being "nice to the community" most companies will go with the
dollar.

I could be wrong of course, and sincerely hope I am. But the execution of
this project makes me nervous.

Kurt Seifried, kurt@seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/




> m5x
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- [Full-Disclosure] OSVDB (was [Funny Story])
  - From: "Gregory A. Gilliss" <ggilliss@netpublishing.com>

References:
- Re: [Full-Disclosure] A funny (but real) story for XMAS
  - From: madsaxon <madsaxon@direcway.com>

Prev by Date: Re: [Full-Disclosure] A funny (but real) story for XMAS
Next by Date: Re: [Full-Disclosure] Symantec Manhunt ?
Previous by thread: Re: [Full-Disclosure] A funny (but real) story for XMAS
Next by thread: [Full-Disclosure] OSVDB (was [Funny Story])
Index(es):
- Date
- Thread