questions regarding new plug-in policy

Dan Bowman dan at tenablesecurity.com
Mon Dec 13 14:29:54 EST 2004 

Hello Rolando,

Please know that many here at Tenable have been Nessus users and supporters 
in one way or another for a very long time.  Also know that managers from 
Tenable's R&D team, Product team, QA team & Customer Support team follow the 
Nessus list closely for what the community is interested in or finds painful 
and needs fixed or a better solution.  Please comment / complain away, we do 
listen.  All we can ask is that you be civil about it for professional 
respect, something that nearly all members of the Nessus mailing lists have 
been.

On Nessus.

There is currently no intent on closing Nessus.  While I cannot speak about 
what the long term future holds, we are very committed to the open source 
project Renaud created, that is Nessus, for a variety of reasons.  You may 
have noticed that Tenable has even taken to updating NessusWX, the Windows 
based Nessus client that had some bugs (a related by independant project 
that had gone stale) by using resources from our Windows development staff. 
We gave away our updated solution even though it is a competing product to 
Tenable's NeWT scanner.

That said, someone has to pay for the developers, researchers, servers, 
bandwidth, research costs (a lab is dedicated to this), QA effort, the 
donuts Renaud speaks of (I'll have to go looking for those), etc.  It's not 
all free.  Tenable, represents one of many efforts to follow an open source 
model while simultaneously supporting a for profit business that accelerates 
the development and research process of the tool.  So far, this has worked 
well for Tenable and the Nessus project as many of the changes in Nessus in 
the last two years represents a major effort to equal all of the purely 
commercial products available and in many ways, exceed their capabilities. 
This has continued to be available for free to the public.   What Tenable 
has noticed is that many companies and small service groups are have begun 
employing Nessus in commercial ventures and sometimes we run into direct 
competition with said organizations using our own product against us.

Somehow, this seems less than fair and most importantly, this is not the 
community.

For the community, it's a pretty powerful tool that we are only asking that 
users register to use.  Without that registration, companies that are out of 
line with the licensing can claim to have never seen any restrictions about 
the use of Nessus.  This eliminates that loophole while still allowing the 
private, community users to use Nessus free of charge.  This is a 
notification to those groups that they have always been out of line with the 
licensing of Nessus.  Also, many of these vulnerability assessment 
organizations develop changes and plugins which they do not contribute to 
the project, breaking the GPL license and the license held by Tenable over 
the engine and specific plugins.  Tenable on the other hand has worked hard 
to increase the functionality and speed of Nessus and this coding effort is 
available to you for free at nessus.org.  When the NeWT scanner was 
initially released, it was significantly faster than Nessus, changes were 
implemented into Nessus that took advantage of the lessons learned in NeWT 
and brought its speed on par with NeWT.  (Renaud would never allow such a 
situation between UNIX and Windows to persist. ;-D )  My group maintains a 
number of proprietary UNIX OS's in our lab to assist with porting Nessus to 
these platforms even though Tenable receives no direct value from these 
efforts and we plan on increasing the number.  The community is directly 
benefiting from Tenable.

Tenable's legal paths are not something I can comment on so I have to end 
this message here.  But please know that from every part of the management 
at Tenable, we like the Nessus tool as a GPL'd open source project.  We do 
gather good testing information from the community and respect that 
contribution.  There will continue to be new features added to Nessus, 
funded and produced by Renaud and Tenable and free for your use.

I thought the community should hear this from one more part of the Tenable 
management team.

Hope this helps.

Regards,

-- Dan

Daniel Bowman
Director of Support & QA
Tenable Network Security

----- Original Message ----- 
From: Rolando Azpurua
To: deraison at nessus.org ; nessus at list.nessus.org
Sent: Monday, December 13, 2004 12:55 PM
Subject: RE: questions regarding new plug-in policy

I am a user.
I have never contributed to the project
I have no rights to talk and criticize?
It has been your project and effort that started as a complete GPL effort.
As always happens, people gets greedy
People wants more power
And they decidewd to yell at everybody else.
What can we do?

Rolando


Hyland Jeremy J CONT KPWA <HylandJ at kpt.nuwc.navy.mil> wrote:

I am most annoyed because I have seen this trend before. Now you want us to 
register, next year it becomes purely pay for subscription, one year later 
Nessus isn't even supported any more and is replaced by a proprietary 
Tenable product.

Apparently I was mistaken about the number of contributors. I just assumed 
that with 2000+ GPL plug-ins, there must have been quite a few people 
involved for non commercial reasons.


-----Original Message-----
From: Renaud Deraison [mailto:deraison at nessus.org]
Sent: Monday, December 13, 2004 9:06 AM
To: nessus at list.nessus.org
Subject: Re: questions regarding new plug-in policy

On Mon, Dec 13, 2004 at 08:55:34AM -0800, Hyland Jeremy J CONT KPWA wrote:
> But what about my question? Will Tenable be taking legal action against
> companies violating the license agreement on copyrighted plug-ins?

I do not discuss such legal matters in public.

> In addition, how do you expect me to take your company seriously when you
> respond to email in such a manner.

I speak for myself.

> You guys are the ones changing the game
> here, so if you want to maintain your formally loyal user base, then you
> need to adequately sell us on these changes.

First, we may be the one to "change the game", but I'll remind you that 
we're the one who started it. And Renaud+Tenable are _by far_ the biggest 
contributors to Nessus (both the plugins and the engine), while you've been 
a user so far. In another mail you stated that Nessus was the work of 
"hundreds of developpers". I suggest you look at the CVS logs and everything 
to see how many contributors there have really been over time.

Second, I don't need to sell you on these changes, because it's not a vote. 
If you're not happy with this new p olicy, then stop using the plugins we 
wrote and stick to the GPL plugins. That's plain and simple, and best of 
all, it does not require any change on your side.

Third, you still have not told me WHAT the annoyance was. I'm sure that it 
would benefit to the whole community if you could underline real annoyances 
which I'll be happy to fix, instead of complaining for no reason.

-- Renaud
_______________________________________________
Nessus mailing list
Nessus at list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

More information about the Nessus mailing list