Word broke on October 5 that Tenable Network Security, the company founded in 1998 to hold the copyright for Nessus, would not release Nessus 3.0 under the GNU General Public License (GPL). The company said it would continue to maintain the GPLed 2.2.x series, but would not open the source of the impending Nessus 3. By October 10, the GNessUs project launched a fork based on Nessus 2.2.5 and a community quickly began forming around it.
Tim Brown, a penetration tester for Portcullis Computer Security Limited in the UK and founder of GNessUs, said the idea to fork the project came out of conversations with colleagues in the security industry in England.
Brown said that the company's move to drop the GPL for Nessus 3 was no great surprise after Tenable split the plugin streams for the software and ignored concerns by Brown and others that vulnerabilities would be missed because people refused to check the streams for either fiscal or ethical reasons. "My fork is dedicated to that community," Brown said.
The split last December created a three-part stream structure that offered a fee-based "Direct Feed" with the latest vulnerability checks available from Tenable, a delayed feed available to those who registered with Tenable and agreed to Tenable's license agreement for plugins, and a "GPL Feed" with plugins from the user community.
Ron Gula, chief executive officer at Tenable and one of its three founders, said Nessus 3, despite its commercial license, would continue to be a free product, and the vulnerability checks would be distributed to invite inspection and contributions from the user community.
"Open source can be a successful model in some cases," Gula said referring to the growth of Nessus, and his hopes to keep alive the Tenable-based Nessus community. "Tenable is proud of its Nessus heritage and will continue to maintain the Nessus 2.x GPL."
Gula said, however, that the company's new business model was based on an "increase in demand from our customers who want a fully supported, commercially licensed version of the product."
Over the course of nearly three weeks the GNessUs project has grown to include about 50 potential contributors, and Brown has begun installing a consensus model of decision-making in the young community to keep the feeling of involvement high. A post on the GNessUs Web site also asked contributors on the mailing list to start registering at the project's wiki so that they can begin claiming tasks.
Brown was introduced to the consensus idea by his work with the Independent Media Center (IMC). Brown said IMC makes decisions without alienating the people who make it happen.
"People can be too rigid in their positions, which is what leads to fractions developing," Brown said. "Consensus is all about learning to say, 'I can live with that.'"
The communal decision model has already come into play. Tenable is asking Brown to change the name of GNessUs to something that does not include the name of its software. According to Gula, Tenable is protecting its trademark, which is pending in the United States and already registered in France.
Brown said he realizes he would likely have lost a court fight over the name. Heeding the advice of "a number of well-known individuals [who] expressed a concern that it may cause a problem in the future," Brown turned to his new community to come up with a name.
Brown stopped accepting submissions after receiving 32 possible names and offers of domain names that are already registered, including variations of OpenVAS, for the name "Open Source Vulnerability Assessment Scanner." He has asked the community for input on whether to use one of the registered domain names or come to some sort of agreement on one of the other names.
Brown said he has contacted GNU/Debian trademark holders Software in the Public Interest (SPI) about possibly holding one of the domain names in a trust to protect the openness of anything developed there.
In addition to attracting developers, Brown said GNessUs has already generated the interest of two commercial sponsors which he declined to name, offering only that both are based in the United States, and one is the developer of "a major open source security product." Another US-based group has also offered to contribute more than 1,000 plugins to the project.
Although the project will have no formal link to Tenable, Brown said he hopes to work with the company to at least "do each other favors," as they seem to be working toward similar goals. This is part of the reason he decided not to push the name issue.
"The opportunity arose to have a healthy dialogue with Tenable and I chose to take it," Brown said, adding that he hoped keeping all versions of Nessus effective and worthwhile was a common interest. "I'd certainly contact them if we found a serious security issue, and would hope that they'd do the same."