Summary: Copyright on Security advisories

From: Aviram Jenik (aviramat_private)
Date: Mon Feb 22 1999 - 10:43:24 PST

Next message: Olle Segerdahl,D: "Re: Process table attack (from RISKS Digest)"

Previous message: aleph1at_private: "Microsoft Security Bulletin (MS99-007)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I've got a lot of responses for my original post (seems like I'm not the only
one with that problem..)

Most of these responses were very informative, so I'll post a short summary.

It seems that the law agrees with common sense (or is it the other way
around?). It's all about "fair use" of published material.
Public security advisories aren't copyrighted against people quoting them,
paraphrasing or publishing them in the full ("fair" uses include commentary,
criticism, summarization, paraphrasing, and reports). Since the re-publishing
of those advisories is done for non-profit, this is no problem. Linking to
the original is common courtesy, but not necessary from a legal point of
view.

I guess the only "bad" use is taking the original advisory and selling it
under my own name..

Another question is using the exploit source code that is sometimes included
in those advisories. Since this code is published to the public in an aim
that it will be used by as many people as possible, it is okay to include it
when reporting about the exploit (as long as the code is not altered).

So, basically, if you're a good guy then you've got no problem ;-)

I also have to mention that I got many messages from people who think some of
the advisories are too much about "fame and glory". Though I think it's great
that commercial companies share their knowledge with the rest of the
community, they are clearly not doing so out of pure philanthropy. Therefore,
they can be a little nicer and tone down those disclaimers (though I'm sure
their attorneys think differently).
While I'm at it, I have to say that till this day I got no reply from ISS or
HERT (though the original post was mailed to them also). On the other hand,
someone from Microsoft (which is an example of a commercial company that has
*no* explicit copyright in their security advisories) immediately contacted
me to make sure MS alerts are okay.

So, Aleph - since this topic repeats once in a while, I hope this information
helps clear out some of the question marks.

I won't end with a disclaimer (though I think it's called for), but I think
you're all old enough to understand that if you're really not sure whether
you can use other people's material or not, you should get a real lawyer.

--
-------------------------
Aviram Jenik

"Addicted to Chaos"

-------------------------
Today's quote:
The most important things to do in this world are to get something
to eat, somthing to drink and somebody to love you.
                         - Brendan Behan, in "Weekend", 1968

Next message: Olle Segerdahl,D: "Re: Process table attack (from RISKS Digest)"
Previous message: aleph1at_private: "Microsoft Security Bulletin (MS99-007)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:37:01 PDT