Tenable's license changes

[Ron Gula]

Hi Robert,

At 07:28 PM 1/21/2005, Robert Keith wrote:

>I am surprised to see that there has not been more discussion of the plugin
>update changes implemented by Tenable January 1.

There was much discussion about this on this mailing list late last
year.

>- Tenable claim that distributing plugins with a 7 day delay does no harm to
>the user community is not true.  This cripples the GPL solution.

We continue to receive GPL plugins and release these under the GPL
plugin feed. For GPL submissions that conflict with vulnerabilities
we currently are writing for, we don't accept those. This happens
very rarely.

>- Tenable granting themselves a special right to write non-GPL plugins
>sounds legally questionable.  If it is in fact legal, it still is should
>have been made very clear to all Nessus users when they started this
>practice at the beginning of Tenable.  This should also be clear when Nessus
>is downloaded and installed.  It is frightening to think that authors of GPL
>programs can secretly grant themselves rights to create non-GPL modules and
>then surprise the community demanding payment after everyone has unknowingly
>become dependent on the modules.

Anyone who writes code and owns the code can attach whatever licenses
one needs to do this. This is exactly how MySQL and other open source
projects can do this.

>- Tenable's claim that they can pick between GPL and their own plugins when
>a collision occurs, is a clear conflict of interest.

It's not a conflict of interest from our point of view. Just because someone
submits code, plugins, documentation to the project, .etc, does not mean it
has to be used. We've rejected plugins and code in the past because they were
horribly written for example. We've also said that we are committed to keeping
up to date with the latest vulnerabilities, staffing the appropriate R&D
resources and maintaining relationships with the various OS and network
vendors.

>- Tenable's claim that they are distributing plugins for free is not
>correct.  They are forcing people to agree to a very restrictive non-GPL
>contract.  Giving up rights is not free.

There is no monetary charge for the registered free, however, many of Tenable's
competitors no longer have ambiguous methods to distribute Nessus and make a
profit off of it. And yes, the license is more restrictive than before, but
we are not forcing anyone to use Nessus no more than people are forcing us
to keep it up to date.

>- Tenable's method of announcing this drastic change was insufficient.  My
>guess is that much of the user community is still not aware of the changes.

1. we changed the web site
2. we announced it on this mailing list
3. we gave interviews to several leading network security magazines as well
    as some of the top newspapers. I can't control what they say.
4. we briefed gartner, morgan stanley and several other analysts
5. we exhibit at trade shows like SANS, CSI, .etc

If you have other suggestions, please let me know. I'd like to tell as
many people about the change as possible.

>- Tenable's claim that they deserve compensation because of all the free
>work they have done in the past is suspect if the plan all along was to lock
>people into a system and then start charging for it.

Our plan was to make it more difficult for competing vendors to make use
of Nessus in their commercial products. Tenable has a wide variety of 
commercial
technology that compliments Nessus, but has nothing to do with it such as the
NeVO passive scanner. If we really wanted to force people to spend money with
us for Nessus, we would not be doing things like maintaining NessusWX, allowing
downloads of the class C NeWT scanner (30,000 people) at no charge and giving
away a set of plugins that even at seven days old, puts to shame a lot of the
commercial vulnerability products out there.

>- Tenable has not been forthcoming about what they are trying to achieve
>with this change.

We don't want competitors of Tenable to use Nessus.

>Are they simply trying to get paid?

It is nice to get some money from the Nessus users out there, but Tenable's
focus has always been large/medium enterprise customers.

>Are they trying to drive their competitors out of business?

Changing the plugin feed really hurts some of our competition which basically
take Nessus, add a GUI and then call it product. Some of the GUIs are really
nice too, but it's still Nessus doing the scanning. I think there is enough
business in this economy for many companies to succeed, so I'm not going to
say they should go out of business. However, it levels the playing field
tremendously.

>Is Tenable trying to support
>certain business models and not others, for example are they trying to drive
>software vendors out of business but support consulting companies?

We gave this a lot of thought, as we didn't want to really hurt the 
consultants.
What floors us, is that there are consultants out there that are totally 
dependant
on Nessus for their vulnerability scanning. I'm talking about the 'little guy'
consultants as well as the big ones. Many of these guys make a lot more money
than $1200/year and they object to the charge.

>All of this said, I am sympathetic to the claim that Tenable should be
>compensated for all the hard work they have done and continue to do.

Most people feel the same way, however, they greatly differ in the amount
of compensation. The overall response we've had is that $1200/year per
scanner is pretty cheap and we should have charged

>  The
>ideal situation would be to guarantee revenue for Tenable for the valuable
>services they provide and also guarantee the Nessus project continue to
>grow.

This accurately describes the current situation. However, you don't go
as far to say that Nessus should not be used to harm Tenable's well being.

>  This would be in everybody's best interest.  Nessus is a critical
>resource.

If it is a critical resource, people should not object to paying for
how we have the plugins being distributed.


>In my humble opinion
>
>- Any new policy should not affect history.  The plugins that were developed
>before January 1 should be GPL, like most people assumed they were.

Most people didn't seem to be bothered that Tenable was writing most of
these plugins anyway. We feel that Nessus users felt there was a vast
army of contributors to Nessus when in fact there weren't.

>- $1200 per year per scanner seems high.

Based on what? Have you looked at the price of a managed service vulnerability
scan, or get a quote for a commercial vuln scanner? Without the $1200 feed,
your scanner is almost as good as any other commercial scanner for free.

>I would guess that for $1M per
>year a small team of programmers should be able develop, test and release
>new plugins as well as maintain and upgrade the existing library.  This
>revenue would be generated by about 1000 licenses.  There are clearly many
>more than this.   If Tenable extracts huge profits from writing plugins,
>they will attract competitors which will cause the plugin market to fragment
>(I use vendor X's library, you use vendor B's) which will work to no one's
>benefit.

Although Nessus is an open source project, Tenable's business practices are
not. If I told you that we had far less than 1000 users, we could argue
charging a higher price than $1200. If I told you we made enough to pay for
R&D of Nessus, we could charge less. Anything I say here can be used against
Tenable, so we are not publicly saying how much or how little we are generating
in revenue.

>- New plugins should be GPL.

Why? We've actually had people not submit plugins to the Nessus project because
they reject GPL altogether in favor of FreeBSDish licences. We don't want to
maintain a variety of non-Tenable feeds.

>   I think that most users would pay a fair price
>to get the latest tested plugins.

What is a fair price? We feel that $1200 per scanner is very affordable.

>I think if users feel that they are being
>charged a fair price for a great product they will pay.

We feel this is the situation.

>  Tenable can still
>hold new plugins for 7 days, which would be a major value to corporate
>Nessus users.

A large number of people who have registered for the 7-day delayed feed
are from corporations. Some of these folks even pay for the $1200 direct
feed. Some even buy our commercial products.

>If Tenable continues with the program as currently constituted, I see
>serious problems developing.

Why?

Ron Gula, CTO
Tenable Network Security