Skip to content ↓ | Skip to navigation ↓

Operators of the Open Sourced Vulnerability Database (OSVDB) have accused security vendor McAfee, a subsidiary of Intel, of scraping large amounts of vulnerability data from the organizations database without first procuring a license, essentially poaching the analysis of participating researchers.

The OSVDB is an arm of the Open Security Foundation, a 501(c)(3) not-for-profit organization that seeks to provide accurate and unbiased information about security vulnerabilities in a cross-referenced database that is free for individual, non-commercial use but requires a license for a fee to use the data. The fees help keep the nonprofit organization operating.

“[McAfee] approached us last year about obtaining a commercial feed to our data that culminated in a one hour phone call with someone who ran an internal VDB there. On the call, we discussed our methodology and our data set. While we had superior numbers to any other solution, they were hung up on the fact that we weren’t fully automated,” wrote OSVDB’s Jericho.

“The fact that we did a lot of our process manually struck them as odd. In addition to that, we employed less people than they did to aggregate and maintain the data. McAfee couldn’t wrap their heads around this, saying there was “no way” we could maintain the data we do. We offered them a free 30 day trial to utilize our entire data set and to come back to us if they still thought it was lacking,” Jericho continued.

McAfee subsequently made 2,219 data requests between May 4 and May 6 according to OSVDB’s logs, all without securing a license and paying for the service.

“Overall, it is entirely frustrating and disappointing to see security companies who sell their services based on reputation and integrity, who claim to have ethics completely disregard them in favor of saving a buck,” Jericho asserted.

Read More Here…