Nmap Announce mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Nmap 3.81 Released; Pr0n; License Non-changes

From: Renaud Deraison <deraison () nessus org>
Date: Tue, 8 Feb 2005 08:24:02 -0500

Hi List and Fyodor,

On Mon, Feb 07, 2005 at 02:34:11PM -0800, Fyodor wrote:

In other news, some users have expressed concern about the new Nessus
license.  If you want to use Nessus and all its plugins for
consulting, you are now required to fax Tenable a signed license
agreement requesting permission.  


This is correct. The issue is that in legalese-speak, it's difficult to
distinguish between a consultant and a Managed Security Services
Provider (MSSP), and some of them have blatantly abused Nessus in the
past by claiming they "invented the technology", so we had to find a way
which :

 a) Makes the use of Nessus free for consultants ;
 b) Allows us to prevent such companies from using it if they lie in
    their claims ;

In the same vein that in real life you have to use annoying keys to lock
your door to prevent a minority of bad guys from breaking into your
house, we had to set up some measures to prevent a minority from abusing
the project.


You must also promise not to redistribute or reverse-engineer the plugins
(http://www.nessus.org/plugins/index.php?consultant=1&email=c&product=).
They also instituted a $1200/year charge for the latest plugins ( a
delayed feed is available free with registration for certain limited
uses).  



The registred plugin feed (which is _free_) allows you to scan the network 
of your workplace or home, with all the plugins that have ever been written,
although there is a 7 day delay between the time we write the plugins
and the time you receive them. If members of the open-source community
submit a given plugin, then it's available under the GPL with no delay.

Same thing with consultants and MSSPs: you can get the plugin feed 
for _free_ but you need to ask for authorization only once. We do NOT
use the gathered data for commercial purposes. Actually, we don't even
keep a digital copy of the authorizations, since we're talking about a
fax, so we do not have a database of consultants and/or MSSPs.

Finally, if you have some kind of religious stance regarding the use of
non-GPL software, there is a 100% GPL plugin feed which contains 
over 2,000 plugins.


They also now claim that many of the existing Nessus plugins
were never open source.  At the same time, they rewrote the Nessus web
page to emphasis that Nessus is "<i>the</i> open-source vulnerability
scanner".


Nessus is an engine, and it is released under the GPL license. A great
number of plugins is released under the GPL license. I think that
qualifies for "open-source".


[...]

They argue that this change is neccessary to maintain quality and
satisfy sharholders


We have never claimed that we clarified the license to satisfy shareholders. 
We are privately funded and not dependant on VCs.

What we've claimed is that setting up an environment to react in real time 
to new vulnerabilities (instead of reacting "whenever I have time"), and hiring people to work full time on new 
security checks (and QA them) requires 
more than goodwill, especially when you see that these checks are then
being used by our competitors. If the community had submitted more plugins, 
maybe this would not have been necessary, but when you look back and see that 
Tenable contributed over 80% of the new plugins in 2004, then there is a 
problem.

It turns out that when people think of "open-source", most of them think
of a million of person writing one line of code each, and this is
absolutely false.

Just a quick recap :

  + 100% of the Nessus Engine  : Michel Arboi and Renaud Deraison (Tenable)

  + 95%  of the Nessus Plugins : Michel Arboi, David Maciejak, Noam Rathaus,
    Digital Defense Inc., George Theall and Tenable.


I recently explained the rationale behind the license change 
in a lengthy email, available at :

 <http://mail.nessus.org/pipermail/nessus/2005-January/msg00185.html>


We also have some sort of FAQ regarding the license change :

 <http://www.tenablesecurity.com/products/direct-examples.shtml>


If you have any question, don't hesitate to send them to me.

Thanks,

                                -- Renaud

--
Renaud Deraison
http://www.nessus.org

--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help () insecure org . List archive: http://seclists.org
Previous By Date Next
Previous By Thread Next

Current thread: