[Full-Disclosure] A funny (but real) story for XMAS
listuser at seifried.org
Tue Dec 16 21:28:24 GMT 2003
> The reason OSVDB isn't well populated yet is that each
> vulnerability has to be evaluated and written up afresh
> in order to avoid violating any existing DB's copyrights.
> That takes time. If you want to shorten that time, go
> volunteer. :-)
I like the idea of osvdb, I have concerns about the execution. I tried to
But after a few pages got tired of trying to figure out how all the various
loopholes and things like "We reserve the right, at our discretion, to
change, modify, add or remove portions of these terms periodically." will
interact. Then there is things like:
"You agree not to sell, resell or offer for any commercial purposes, any
portion of the Services, use of the Services or access to the Services."
So what happens if I reference an osvdb writeup in a commercial product, it
would seem even just using whatever identifier osvdb uses for an issue (the
name) would violate their terms of service.
While the osvdb claims they will use a license similar to the CPL (according
They then go on to say:
"Currently OSVDB is seeking legal aid to determine how to best reuse the
CPL, or draft a similar license. "
With all the above loopholes, and the uncertainty about the license and
conflicting license/terms of service/etc I have a feeling this company may
pull a CDDB (that is, let people enter stuff, and use it for free and then
yank it and go commercial). This is sponsored by two commercial companies
and let's face it, at the end of the day if it comes down to making an extra
buck, or being "nice to the community" most companies will go with the
I could be wrong of course, and sincerely hope I am. But the execution of
this project makes me nervous.
Kurt Seifried, kurt at seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
Full-Disclosure is hosted and sponsored by Secunia.