October 05, 2005

A lesson for OSS: Nessus drops the GPL

I wondered how long it would take for Renaud to complete the licensing transition from open source for Nessus to closed.

Seems like today is the day. He announced that Nessus 3.0 will still be free of charge (for now), but will NOT be released under the GPL. In his words:

Nessus 3 will be available free of charge, including on the Windows platform, but will not be released under the GPL.
Nessus 3 will be available for many platforms, but do understand that we won't be able to support every distribution / operating system available. I also understand that some free software advocates won't want to use a binary-only Nessus 3.

As a fellow entrepreneur, I understand that he wishes to find methods to increase revenue and protect his interests. But I also think his positioning on his reasons is slightly flawed. His reasoning is that:

"virtually nobody has ever contributed anything to improve the scanning _engine_ over the last 6 years."

I wouldn't doubt thats the case. But this quote to the nessus list bugged me today, and I will tell you why. In May 2002 I formed a company called VulScan Digital Security. My plan was to port the Nessus engine to Windows (keeping the engine still under GPL) and design a more in-depth proprietary management tool for network pentesting to compete against the big boys who were charging insane amounts of money. I was about a quarter of the way complete the port when I ran into some issues with the NASL scripting and I tried to contact Renaud and his crew to point out some issues I found. The help I got? Squat. Nothing. Barely even communicated with me. I only ever got a couple of email responses saying "I was free to do it" when I asked if I could do it in the first place, and a follow up to an issue I found with a quick thanks. At that point I realized I wouldn't be getting any support and I dropped the project. If you can't get support from the original authors it didn't make a lot of sense to carry on.

Now he is pointing out that he received no contributions to his code. Of course not. No one wants to work with someone like that without forking off into it's own project. And we all know how f*cked forked projects normally end up.

Now, Fyodor and the Nmap project on the otherhand, "get it". Any time I have come across an issue and asked for help, Fyodor has always emailed me back in a timely manner and with useful information. And you know what?? I have submitted patches to fix things once I got my head around what the real problem was. The whole raw socket XP SP2 fiasco had a fix within 4 hours of Fyodor and I talking about it. After my patch submission we found that a new ARP caching issue also existed. Only took me another couple of hours to have that written and tested and Fyodor put it into the Nmap base to get Windows people going again. Give and take. THAT's how an open source project should work.

Today Fyodor posted an email discussing how Nmap will not follow Nessus. Thank you for that Fyodor. As a regular nmap user I appreciate that.

I wish Renaud and Nessus all the greatest success in marketing Nessus. Let it be a lesson to all of us though. Open source software is about give and take. If everyone just takes and never gives back, don't assume it will always be there for you. On the flip side, if you manage an open source project and want help, make sure you give respect to those willing to dig in and help. Otherwise they will leave you just as quickly.

Have an interesting open source vulnerability scanner you are working on, or planning to fork off Nessus? Email me at dana@vulscan.com and let me know.

Posted by SilverStr at October 5, 2005 03:24 PM | TrackBack

Dana, could you post a link to Renaud's comments?

Posted by: Matt McClellan at October 6, 2005 07:35 AM

Hey Matt,

Sure thing.

Renaud's original announcement is:


His follow up about the fact no one has contributed to the engine is:


To fill out the conversation, Fyodor's comments are at:


Posted by: Dana Epp at October 6, 2005 08:26 AM