October 6, 2005

Nessus 3.0 to abandon GPL licensing

Author: NewsForge Staff

Nessus -- once billed as "the open-source vulnerability scanner" -- is changing its ways as of the 3.0 release, which is expected shortly. According to a recent post on the Nessus Announcements mailing list "Nessus 3 will be available free of charge, including on the Windows platform, but will not be released under the GPL." On its Web site, Nessus now just bills itself as "the network vulnerability scanner."

NewsForge spoke this afternoon with Ron Gula, CTO and co-founder of Tenable Network Security, which sponsors the Nessus project, and Renaud Deraison, founder of the Nessus vulnerability scanner project and co-founder of Tenable Network Security, about the reasons for the change.

The story broke yesterday with a post by Deraison on the Nessus Announcement mailing list, which immediately drew questions and comments on the Nessus discussion list and elsewhere.

In response to the question, "Have you obtained permission from all copyright holders of patches to relicense their intellectual property?" on the Nessus discussion list yesterday, Deraison simply said said, "Yes."

When we spoke with Gula and Deraison today, we asked the official reason for making what is sure to be a controversial licensing change. Gula said:

Like you said, it's a hot-button issue. There's a lot of different people out there with a lot of different views on it. My biggest thing that I want to do is increase the user base, and frankly, the real story is not that we are moving away from the GPL, I think the real story is we are giving away a lot more value, in terms of -- for example -- the Windows scanners which are very, very popular, and also moving Nessus into a place that it's more easily used in corporate America. We have a lot of people out there in large organizations who cannot use open source software in their organization.

When we asked Deraison to expand on the theme of open source not working for the Nessus project, he said:

In that case, yes, in the sense that in the end, the people that committed anything to the engine, to improve it, were like two of us. So if there is no community, and no one touches the code, and then on the other side (there are people) who cannot use Nessus because it is open source, they can't use it on the network, then we decided it would be better to close it.

Finally, we asked what form the new licensing would take. Gula told us, "There are really two aspects to the license. The first part of the license is for the actual daemon, the actual code that people use. Basically that daemon is a free tool, that you can use if you're an end user." Renaud then noted, "Free as in free beer." Gula continued:

So one of the things Tenable does, and this is one of the things that makes Nessus really popular, last year we didn't actually change anything on the Nessus code, that's the daemon, that was still GPL'd, but we made a change to the license. We basically said that the license for the plugin was separate from Nessus, and that these were updated.

And there was basically a seven-day delay for free, which was available to the world. But if people wanted the latest and greatest vulnerability checks, they had to pay for it. So, I can't really give you any names, but some of the largest managed security providers in the world, buy this from us because they in turn sell to governments and universities, you know, the latest vulnerability checks. These are for Microsoft, and for Linux, and for Mac. So there are really two parts to the Nessus license, what can I do with the actual program itself, and then what can I do with the content.

The way I say it, if you have Apache, just because I download Apache doesn't mean that I can use the Apache home page's content on my Web site.

Deraison claimed on the mailing list that the Nessus engine has had precious little community support in terms of patches and outside contributions, but some Nessus users were unconvinced of that being true for the entire project, with one writing:

I'm sure that has nothing to do with the fact that Tenable refuses to publish plugins developed under GPL when they have plans to develop them in house and can make money off a registered feed. How many people on this list have submitted plugins only to have them trumped by a registered feed plugin? You make a fair point about the improvement on the engine, but perhaps the open source community felt that their efforts were better placed at improving plugins. However, they may have taken a different point of view if they knew that that concentration would mean the loss of the O/S nature of the engine itself.

This assertion was countered by another Tenable employee, George A. Theall, who has written many plugins for Nessus, both as an employee and a contributor:

Before I worked for Tenable, I authored several dozen plugins for Nessus. I do recall one or two instances in which plugins were rejected, but each was because David Maciejak had submitted an alternate before me. David's plugins, btw, are GPL'd.

Mindful of this, since joining Tenable I've been encouraging third-party plugin contributors such as David and Josh Zlatin-Amishav to coordinate with us before writing a plugin by dropping a note of their intentions to plugins_at_nessus.org. I generally tend to respond to these. And while I might tell someone not to write a plugin, it's because either (1) someone else has already written it or has committed to writing it or (2) the benefit of having such plugin, as perceived by both Tenable and the third-party author, is small.

The move has not only raised the ire of many free software fans, it has drawn attention on other security-related lists. On the nmap-hackers mailing list, for example, Fyodor wrote this morning:

In the last Insecure.Org Security Tools survey, you guys proudly voted Nessus #1. It complements the functionality of Nmap by going further to detect application-level vulnerabilities. Then in February of this year, Tenable changed the Nessus license to further restrict the plugins and require that you fax them a permission request form before you use Nessus for any consulting engagements. Renaud wrote to this list on Feb 8 (http://seclists.org/lists/nmap-hackers/2005/Jan-Mar/0001.html), explaining that their new slogan ("the open-source vulnerability scanner") was accurate because the engine was still open source. Today, their slogan has changed to "the network vulnerability scanner," and you can probably guess what that means. In the announcement below, Renaud announces that Nessus 3 (due in a couple weeks) will be binary only and forbid redistribution. They say it will be free, for now, if you use the delayed plugin feed. They have also announced that Nessus 3 will be faster and contain various other improvements. They promise to maintain GPL Nessus 2 for a while, but I wouldn't count on that lasting long.

I am not taking a position on this move, but I do feel it is worth noting for the many Nessus users on this list. Tenable argues that this move is necessary to further improve Nessus and/or make more money. Perhaps so, but the Nmap Project has no plans to follow suit. Nmap has been GPL since its creation more than 8 years ago and I am happy with that license.

It is worth noting that the previous Nessus releases, which are licensed under the GPL, cannot be withdrawn. If the Nessus community feels strongly enough about the license change, it would be possible to maintain and extend previous releases.

Given the incendiary nature of discussions involving contrary views of software licensing, the Nessus move is bound to become an icon tossed back and forth between proponents of the proprietary and free/open source software camps for a long time. At the very least, it's fodder for rational discussions on whether free software licensing works for you.


  • Open Source