[ubuntu-hardened] Usage of Ubuntu Security Data in VulnerableCode

[Seth Arnold]

On Wed, Jan 11, 2023 at 06:27:38PM +0530, Tushar Goel wrote:
> We would like to integrate the Ubuntu usn data[1][2] and
> Ubuntu security data (OVAL format)[3] in vulnerablecode[4]
> which is a FOSS db of FOSS vulnerability data. We were not
> able to know under which license this security data comes.
> We would be grateful to have your acknowledgement over usage of
> the ubuntu security data in vulnerablecode and have
> some kind of licensing declaration from your side.

Hello Tushar, we do not have an explicit license on this data.

We share our data with the intention that others will use it. Please
feel free to use it for the general furtherance of security.

Much of the data that's contained within our databases is sourced from
third parties, who also shared their data with the intention that others
will use it. I'm not sure what it would look like to try to put a license
on data that is crowd-sourced from thousands of contributors. (If you were
to start such a project today, it'd probably be one of the first things to
formalize. But when CVE was started two decades ago, the primary goal was
sharing knowledge and simplifying the vulnerability remediation process,
and licensing the data was, as far as I can remember, not considered.
Sharing was the goal.)

I will ask that vulnerablecode 'be nice' to our infrastructure that
hosts the databases -- some automated uses of our infrastructure by
vulnerability scanner tools has lead to significant load and engineering
effort. In general, please prefer a small handful of systems updating
mirrors roughly twice a day rather than thousands of hosts pulling
data hourly.

Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20230124/7454b90d/attachment.sig>