RE: Nessus no longer open source

From: Ted Mittelstaedt (
Date: 10/06/05

  • Next message: Joe S: "Re: vsftpd watch problem"
    To: <>, <>
    Date: Thu, 6 Oct 2005 12:57:59 -0700

    This happened with the SAINT scanner also, however they didn't have the
    decency to keep an older release train going under GPL. SAINT was a
    rework of SATAN which was released open source, making that a
    bitter pill. I believe when SAINT did this, that was what gave the
    impetus to
    Nessus to become popular.

    Security scanning as an esoteric field and not a lot of people are true
    however there's a huge demand for it from some very deep pockets. Thus
    this kind of thing is inevitable.

    One of the duties of the OSS market is to serve as a spawning ground for
    commercial software packages. There was a huge amount of commercial
    software born from the BSD code, and in fact a number of the BSD
    utilities made it into Windows - including their BSD copyright notices in

    Consider also that the military would almost certainly not want to use an
    open source scanner because that gives the enemy a list of what
    you know about, and what ones you possibly don't. I can think of a
    of other deep pockets like VISA that are the same way. Closing the
    for Nessus 3 will open it up to consideration by a number of customers
    would have been prevented from using it. Almost certainly the research
    in the
    vulnerabilities that go into Nessus 3 will trickle into Nessus 2
    eventually. So
    this move, far from being a blow to OSS, actually strengthens it. If you
    to bitch about something then bitch about SAINT.


    >-----Original Message-----
    >[]On Behalf Of Gayn Winters
    >Sent: Thursday, October 06, 2005 9:04 AM
    >Subject: Nessus no longer open source
    >One of the highest rated open source security programs, nessus, will no
    >longer be open source. Quoting from an email from Renaud Deraison
    ><> to,
    >"Nessus 3 will be available free of charge, including on the Windows
    >platform, but will not be released under the GPL.
    >"Nessus 3 will be available for many platforms, but do understand that
    >we won't be able to support every distribution / operating system
    >available. I also understand that some free software advocates won't
    >want to use a binary-only Nessus 3. This is why Nessus 2 will
    >continue to be maintained and will stay under the GPL."
    >I'm not sure if Nessus 3 will be supported as a FreeBSD package.
    >Apparently the folks at Tenable feel that they have been supporting the
    >open source community but have been getting little back in plug-ins and
    >vulnerabilities and virtually nothing back on the scanning engine for
    >over six years. In fact, they have been slowly tightening their
    >licensing (cf.
    >, and
    >it would appear that they can and will continue to tighten it over time.
    >Fyodor's analysis
    >( is that
    >the open source community should take heed. He provides a list of ways
    >to contribute to open source software projects. While the list is
    >excellent, there are no new ideas in it. The thing that seems germane
    >to the FreeBSD community is that ports, even extremely popular ones, are
    >vulnerable, since under the GPL the AUTHOR of the code is not bound by
    >the same restrictions that the users are. I'm not a lawyer, but as I
    >understand it, the author can create a derived work of something under
    >the GPL and license the derived work (a "rewrite" in the case of nessus
    >3) and arbitrarily restrict it. Given Renaud's claim that no one
    >contributed to the scanning engine, he seems to have every right to
    >create a new and closed version of it.
    >The moral here, if there is one, is that if you really like a port, then
    >you should contribute to it one way or another!
    > mailing list
    >To unsubscribe, send any mail to
    >No virus found in this incoming message.
    >Checked by AVG Anti-Virus.
    >Version: 7.0.344 / Virus Database: 267.11.9/116 - Release Date:

    _______________________________________________ mailing list
    To unsubscribe, send any mail to ""

  • Next message: Joe S: "Re: vsftpd watch problem"