From Ken.Williams at ca.com  Mon Apr 28 11:14:14 2014
From: Ken.Williams at ca.com (Williams, James K)
Date: Mon, 28 Apr 2014 16:14:14 +0000
Subject: [VIM] Secunia has now put ALL vulnerability info behind login?
Message-ID: <ED311CBEE6993C428563DEDF6D083BC870A7A258@usilms113b.ca.com>

FYI, it appears that Secunia just put all vulnerability content behind a login.  Additionally, the website states that the vuln info cannot be used for commercial purposes.

Regards,
Ken Williams
Director, Product Vulnerability Response Team


From stmoore at us.ibm.com  Mon Apr 28 11:18:21 2014
From: stmoore at us.ibm.com (Scott Moore)
Date: Mon, 28 Apr 2014 12:18:21 -0400
Subject: [VIM] Secunia has now put ALL vulnerability info behind login?
In-Reply-To: <ED311CBEE6993C428563DEDF6D083BC870A7A258@usilms113b.ca.com>
References: <ED311CBEE6993C428563DEDF6D083BC870A7A258@usilms113b.ca.com>
Message-ID: <OF7CB04865.2D2F6E38-ON87257CC8.00597421-85257CC8.00599440@us.ibm.com>


I wonder what constitutes commercial purposes?

We reference them with a link to their website, and do not sell our
vulnerability data.

Thanks.

-----
Scott Moore
Vulnerability Database - Team Lead
X-Force Research and Development
IBM Security Systems
Office: 404-348-9288
Cell: 404-643-1260



From:	"Williams, James K" <Ken.Williams at ca.com>
To:	"vim at attrition.org" <vim at attrition.org>,
Date:	04/28/2014 12:15 PM
Subject:	[VIM] Secunia has now put ALL vulnerability info behind login?
Sent by:	vim-bounces at attrition.org



FYI, it appears that Secunia just put all vulnerability content behind a
login.  Additionally, the website states that the vuln info cannot be used
for commercial purposes.

Regards,
Ken Williams
Director, Product Vulnerability Response Team

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.attrition.org/pipermail/vim/attachments/20140428/56f2953f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://www.attrition.org/pipermail/vim/attachments/20140428/56f2953f/attachment.gif>

From jericho at attrition.org  Mon Apr 28 11:26:32 2014
From: jericho at attrition.org (security curmudgeon)
Date: Mon, 28 Apr 2014 11:26:32 -0500 (CDT)
Subject: [VIM] Secunia has now put ALL vulnerability info behind login?
In-Reply-To: <OF7CB04865.2D2F6E38-ON87257CC8.00597421-85257CC8.00599440@us.ibm.com>
References: <ED311CBEE6993C428563DEDF6D083BC870A7A258@usilms113b.ca.com>
	<OF7CB04865.2D2F6E38-ON87257CC8.00597421-85257CC8.00599440@us.ibm.com>
Message-ID: <alpine.LNX.2.00.1404281125480.17701@forced.attrition.org>



On Mon, 28 Apr 2014, Scott Moore wrote:

: I wonder what constitutes commercial purposes?
: 
: We reference them with a link to their website, and do not sell our 
: vulnerability data.

Using a link to them as a cross-reference isn't "commercial".

Pretty sure they are combatting the same thing OSVDB has for years, people 
using our entire entries, text and all, in products and services.

From Ken.Williams at ca.com  Mon Apr 28 11:30:02 2014
From: Ken.Williams at ca.com (Williams, James K)
Date: Mon, 28 Apr 2014 16:30:02 +0000
Subject: [VIM] Secunia has now put ALL vulnerability info behind login?
In-Reply-To: <alpine.LNX.2.00.1404281125480.17701@forced.attrition.org>
References: <ED311CBEE6993C428563DEDF6D083BC870A7A258@usilms113b.ca.com>
	<OF7CB04865.2D2F6E38-ON87257CC8.00597421-85257CC8.00599440@us.ibm.com>
	<alpine.LNX.2.00.1404281125480.17701@forced.attrition.org>
Message-ID: <ED311CBEE6993C428563DEDF6D083BC870A7A284@usilms113b.ca.com>

See sections 6.1 and 6.2 in the EULA on the Community Login signup page.
https://secunia.com/community/profile
Figuring out if your use constitutes commercial purposes is only half of 
your problem.  

All reference links to secunia.com are effectively dead now unless your 
site visitors have a Secunia account.

Regards, 
Ken

-----Original Message-----
From: vim-bounces at attrition.org [mailto:vim-bounces at attrition.org] On Behalf Of security curmudgeon
Sent: Monday, April 28, 2014 11:27 AM
To: Vulnerability Information Managers
Subject: Re: [VIM] Secunia has now put ALL vulnerability info behind login?
Importance: High



On Mon, 28 Apr 2014, Scott Moore wrote:

: I wonder what constitutes commercial purposes?
: 
: We reference them with a link to their website, and do not sell our 
: vulnerability data.

Using a link to them as a cross-reference isn't "commercial".

Pretty sure they are combatting the same thing OSVDB has for years, people 
using our entire entries, text and all, in products and services.

From jericho at attrition.org  Mon Apr 28 11:33:06 2014
From: jericho at attrition.org (security curmudgeon)
Date: Mon, 28 Apr 2014 11:33:06 -0500 (CDT)
Subject: [VIM] Secunia has now put ALL vulnerability info behind login?
In-Reply-To: <ED311CBEE6993C428563DEDF6D083BC870A7A284@usilms113b.ca.com>
References: <ED311CBEE6993C428563DEDF6D083BC870A7A258@usilms113b.ca.com>
	<OF7CB04865.2D2F6E38-ON87257CC8.00597421-85257CC8.00599440@us.ibm.com>
	<alpine.LNX.2.00.1404281125480.17701@forced.attrition.org>
	<ED311CBEE6993C428563DEDF6D083BC870A7A284@usilms113b.ca.com>
Message-ID: <alpine.LNX.2.00.1404281132410.17701@forced.attrition.org>


On Mon, 28 Apr 2014, Williams, James K wrote:

: All reference links to secunia.com are effectively dead now unless your 
: site visitors have a Secunia account.

Sure, but we want x-refs regardless. Hell, we've been linking to BID as 
best we can despite their public side having next to no information 
available =)

From Ken.Williams at ca.com  Mon Apr 28 11:41:05 2014
From: Ken.Williams at ca.com (Williams, James K)
Date: Mon, 28 Apr 2014 16:41:05 +0000
Subject: [VIM] Secunia has now put ALL vulnerability info behind login?
In-Reply-To: <alpine.LNX.2.00.1404281132410.17701@forced.attrition.org>
References: <ED311CBEE6993C428563DEDF6D083BC870A7A258@usilms113b.ca.com>
	<OF7CB04865.2D2F6E38-ON87257CC8.00597421-85257CC8.00599440@us.ibm.com>
	<alpine.LNX.2.00.1404281125480.17701@forced.attrition.org>
	<ED311CBEE6993C428563DEDF6D083BC870A7A284@usilms113b.ca.com>
	<alpine.LNX.2.00.1404281132410.17701@forced.attrition.org>
Message-ID: <ED311CBEE6993C428563DEDF6D083BC870A7A2AC@usilms113b.ca.com>

Secunia blog post on the subject.

http://secunia.com/blog/modification-of-the-access-to-the-secunia-advisories-390/

Regards, 
Ken



From coley at mitre.org  Wed Apr 30 18:35:17 2014
From: coley at mitre.org (Christey, Steven M.)
Date: Wed, 30 Apr 2014 23:35:17 +0000
Subject: [VIM] Secunia has now put ALL vulnerability info behind login?
In-Reply-To: <ED311CBEE6993C428563DEDF6D083BC870A7A284@usilms113b.ca.com>
References: <ED311CBEE6993C428563DEDF6D083BC870A7A258@usilms113b.ca.com>
	<OF7CB04865.2D2F6E38-ON87257CC8.00597421-85257CC8.00599440@us.ibm.com>
	<alpine.LNX.2.00.1404281125480.17701@forced.attrition.org>
	<ED311CBEE6993C428563DEDF6D083BC870A7A284@usilms113b.ca.com>
Message-ID: <FC72FC641B949240B947AC6F1F83FBAF4C435908@IMCMBX01.MITRE.ORG>

Late Tuesday night, I made a direct inquiry to Secunia, since I also have questions about the EULA.  If CVE discovers a cross-reference through Secunia or integrates some description details, it seems it could be a violation.  I haven't heard back yet.

SecurityFocus, OSVDB, and now Secunia have all restricted access in one form or another.  While I recognize there are numerous reasons for doing so, hopefully this trend won't continue, and hopefully we VDB specialists can figure out the best model(s).

Scott and Ken - not to put you *too* much on the spot, but since your VDBs are closely attached to your products, I'm wondering if you have a different business model and less of an existential threat than the "vuln intelligence" VDBs do?

- Steve


>-----Original Message-----
>From: vim-bounces at attrition.org [mailto:vim-bounces at attrition.org] On
>Behalf Of Williams, James K
>Sent: Monday, April 28, 2014 12:30 PM
>To: Vulnerability Information Managers
>Subject: Re: [VIM] Secunia has now put ALL vulnerability info behind login?
>
>See sections 6.1 and 6.2 in the EULA on the Community Login signup page.
>https://secunia.com/community/profile
>Figuring out if your use constitutes commercial purposes is only half of
>your problem.
>
>All reference links to secunia.com are effectively dead now unless your
>site visitors have a Secunia account.
>
>Regards,
>Ken
>
>-----Original Message-----
>From: vim-bounces at attrition.org [mailto:vim-bounces at attrition.org] On
>Behalf Of security curmudgeon
>Sent: Monday, April 28, 2014 11:27 AM
>To: Vulnerability Information Managers
>Subject: Re: [VIM] Secunia has now put ALL vulnerability info behind login?
>Importance: High
>
>
>
>On Mon, 28 Apr 2014, Scott Moore wrote:
>
>: I wonder what constitutes commercial purposes?
>:
>: We reference them with a link to their website, and do not sell our
>: vulnerability data.
>
>Using a link to them as a cross-reference isn't "commercial".
>
>Pretty sure they are combatting the same thing OSVDB has for years, people
>using our entire entries, text and all, in products and services.


From jericho at attrition.org  Wed Apr 30 18:56:33 2014
From: jericho at attrition.org (security curmudgeon)
Date: Wed, 30 Apr 2014 18:56:33 -0500 (CDT)
Subject: [VIM] Secunia has now put ALL vulnerability info behind login?
In-Reply-To: <FC72FC641B949240B947AC6F1F83FBAF4C435908@IMCMBX01.MITRE.ORG>
References: <ED311CBEE6993C428563DEDF6D083BC870A7A258@usilms113b.ca.com>
	<OF7CB04865.2D2F6E38-ON87257CC8.00597421-85257CC8.00599440@us.ibm.com>
	<alpine.LNX.2.00.1404281125480.17701@forced.attrition.org>
	<ED311CBEE6993C428563DEDF6D083BC870A7A284@usilms113b.ca.com>
	<FC72FC641B949240B947AC6F1F83FBAF4C435908@IMCMBX01.MITRE.ORG>
Message-ID: <alpine.LNX.2.00.1404301842280.7056@forced.attrition.org>


On Wed, 30 Apr 2014, Christey, Steven M. wrote:

: SecurityFocus, OSVDB, and now Secunia have all restricted access in one 
: form or another.  While I recognize there are numerous reasons for doing 
: so, hopefully this trend won't continue, and hopefully we VDB 
: specialists can figure out the best model(s).

This is a pretty gross mischaracterization in the context you put it.

SecurityFocus has had very little info available on their public side 
(e.g. they rarely show provenance, aren't mapped fully to CVE, use overly 
generic descriptions etc). Their commercial offering has beefier 
descriptions but largely generic templates, typically shows provenance 
(but not always), etc.

Secunia has removed almost all of their information as of a few days ago.

Compared to OSVDB, who has only restricted access to some dates, tech 
notes, and testing notes... leaving our entries 80% or more open, and 
always showing provenance (which may change, due to continued abuse of our 
resources by gov, mil, com, international, etc).

Comparing OSVDB to those two in that way, in my opinion, is wrong. If and 
when we close up more, then a comparison is more likely in order. And when 
that happens, know that it isn't because we want it. We'd rather be able 
to stay open to support the community, but there are an abundance of 
unethical companies that will go to great lengths not to license the data.

--

As to the 'why', we all know basically what prompts it. What amuses me is 
that BID started to use us heavily for a few weeks until we made changes 
to prevent scraping, then removed the 'last 10' on the front page. After 
that they quickly switched to using Secunia heavily. Even two days after 
Secunia closed off most information, BID is *still* using them heavily. We 
can see this very clearly. As an example, today there were three separate 
cases where Secunia released an advisory on an issue older than 10 days. 
Less than 12 hours later, BID released an advisory on the exact same 
issue. The odds of both of them finding those three very different vulns 
on the same day, as many as two weeks after disclosure, are slim. (This is 
the value of us trying to maintain a 100% cross-reference mapping to as 
many databases as we can. =)

What used to be more open is now a matter of competitive intel. Again, 
this is my opinion, but watching Secunia and BID fight to use other VDBs 
and *still* remain so woefully behind is amusing, if not a bit pathetic.

Finally, remember that CVE is a "specialty database" (only term I can use 
that you agree with =) that gets government funding. The others are 
commercial models and that is how data aggregation is funded. You can give 
the pouty eyes and 'woe is us' but quite simply, we all have to figure out 
ways to make our databases happen.

: Scott and Ken - not to put you *too* much on the spot, but since your 
: VDBs are closely attached to your products, I'm wondering if you have a 
: different business model and less of an existential threat than the 
: "vuln intelligence" VDBs do?

Careful with those air quotes. You can argue all day long, but more 
companies use CVE for vuln intelligence than OSVDB, Secunia, and BID 
combined probably. The number of times we convert customers that were 
using CVE as their primary intelligence feed is more than any 
other source.

.b