Symantec Buys SecurityFocus, among others....

[full-disclosure () lists netsys com (Chris Wysopal)]

On Thu, 18 Jul 2002, Jay D. Dyson wrote:

>       Perhaps the best way to beat these cash hounds at their own game
> is to start using a strictly not-for-profit licensing on all released
> advisories and proof-of-concept code which stipulates that for-profit
> companies may not use said information in any way.

Even if you put a copyright notice on your advisories and give permission
for non-profits to redistribute, the for-profits will just reword the
information for their database.  It usually takes several days to research
and create an advisory and many hours of working with the vendor to get
them to fix it.  The vuln reporter gets some street cred.  The for-profit
retypes the information and probably makes a few thousand dollars PER
ADVISORY.  And several for-profits are doing this.


>       Let's face it: the for-profit companies have been leeching off the
> community for years and giving nothing back save for sponsorship of key
> escrow, further draconian legislation, and advocacy of a security cabal
> (which they would control) that would take free information and bundle it
> as a pay-for product/service.

The only way to stop the leeching is to have a free vulnerability database.
There could be a site where vuln reporters could enter the information into
the database themselves.  This database would always be the most up to date
and the most accurate.  If there was a standardized vuln reporting format
perhaps the import to the databse could be automated.  Mirroring of the
database around the world would be encouraged.

I would love VulnWatch to be able to do this.  Any volunteers?

>       Look, I have nothing against someone trying to make a buck.  That
> is the cornerstone of the capitalist system.  What burns my biscuits is
> that the monolithic security companies are not making this money off their
> own efforts[1], but by leeching off the egalitarian contributions of those
> who possess a skill set the businesses are not willing to pay for.

Agreed.  I have struggled with the model that exists for many years.  It
seems the only way to make money off of vuln information is to sell a
database and the people selling them do not pay the vulnerability
reporters for their effort. Let's face it.  There would be no security
information business without all the people donating their knowledge for
free.

Of all the vuln database companies SecurityFocus has been the best at
giving back to the community and they say this won't change.  Even so a
completely non-corporate and free vuln database would be something good for
the community.

-Chris


> - -Jay
>
> 1.  About the only real effort I see from corporate security firms these
>     days is whipping up FUD-filled press releases to scare the living
>     bejeezus out of the masses about "cyber-terrorism" and other happy
>     horseshit.
>
>   (    (                                                          _______
>   ))   ))   .--"There's always time for a good cup of coffee"--.   >====<--.
> C|~~|C|~~| (>------ Jay D. Dyson -- jdyson () treachery net ------<) |    = |-'
>  `--' `--'  `-- I'll be diplomatic...when I run out of ammo. --'  `------'
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.7 (TreacherOS)
> Comment: See http://www.treachery.net/~jdyson/ for current keys.
>
> iD8DBQE9NydyGI2IHblM+8ERAnaNAKCAbUUQpAJLuGrkqxlOsflXBJm6dACgkSlH
> Y4MHjqIe6qAM28/cSenTBTA=
> =9ErK
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Full-Disclosure () lists netsys com
> http://lists.netsys.com/mailman/listinfo/full-disclosure