McAfee accused of McSlurping Open Source Vulnerability Database

Lawyers say security giant should have paid before it unleashed slurping scripts


Intel security subsidiary McAfee may be in hot water after it allegedly scraped thousands of records from the Open Source Vulnerability Database instead of paying for them.

The surreptitious slurp was said to be conducted using fast scripts after McAfee formally inquired about purchasing a license to the data.

Those scripts, OSVDB said in a blog post, deliberately subverted security controls design to protect the database by rapidly changing the user agent.

A fed-up OSVDB staffer took to the website's blog to out McAfee and Spanish infosec firm S21Sec which also hoovered up vulnerability data after being told such access was a paid service.

McAfee told The Register it was investigating the matter.

The OSVDB's Brian Martin said in an email to The Reg that McAfee, S21Sec and others alleged to have pilfered the databases ignored the paid license.

"There is debate on if a database can be copyrighted. Instead of saying they are infringing that, we are saying they are wilfully ignoring our posted license," Martin said.

"In the case of S21, they were sent an email explicitly saying that to use our data for the stated purpose required a license. In the case of McAfee, they were in negotiation with our commercial partner to subscribe to our commercial vulnerability feed, and then backed out saying they didn't think we could provide the data we claimed."

"In each case, the companies were aware of the license requirements. In each case, they waited some months later to systematically scrape our data".

OSVDB aggregates and formated public vulnerability records for free individual consumption but requests that those seeking more comprehensive access pay for the right. The outfit's site includes a copyright statement.

The site's copyright could be breached by individuals merely downloading the information in contravention to the site's policies, and did not require the data to be subsquently disseminated.

This contradicted heated debate online where pundits including respected infosec bod Robert Graham of Errata Security argued the OSVDB data was simply public, adding it was not unethical to scrape it.


Graham pointed out that the staffers behind the scraping could have done so for personal use or to test a project, but this argument was dubbed a 'popular misconception' by University of Technology Sydney Professor of Law Michael Fraser.

"The issue is not about public information, the issue is whether copyright applies," Fraser said.

"There is no copyright in 'fact', but if it amounts to original copyright work, then the expression of that work is copyright and you can't reproduce it without permission."

"They [McAfee and S21Sec] would breach it by communicating - downloading - the information."

That OSVD employed people to add value to the database means the data slurp looked likely to have breached copyright, said University of Melbourne law school professor Andrew Christie.

"The manual processing suggests to me that under US and Australian copyright law it would be protected," Christie said, emphasising that his analysis is preliminary.

"Whether it's copying from a website or breaking into a safe, it doesn't matter." ®

Similar topics

Narrower topics


Other stories you might like

  • AI really can't copyright the art it generates – US officials
    Get ready for robot lobbyists to persuade robot lawmakers to pass robot-friendly laws?

    AI algorithms cannot copyright the digital artwork they generate, the US Copyright Office has insisted.

    Officials this month turned down a request brought by Stephen Thaler, founder of Imagination Engines, to register a copyright claim for a digital image he said was produced by machine-learning software. Thaler said the piece, titled A Recent Entrance to Paradise, was crafted by Creativity Machine, an automated system he invented and owned, and argued the software should be recognized as the author of the image.

    The US Copyright Office's review board said although it accepted the code-generated picture was made without "any creative contribution from a human actor," the board could not fulfill the request. Today's copyright laws only protect "the fruits of intellectual labor" that "are founded in the creative powers of the [human] mind," the board said in a letter [PDF] directed to Thaler's lawyer Ryan Abbott.

    Continue reading
  • Deere & Co won't give out software and data needed for repairs, watchdog told
    Farming groups demand some kind of actual action from regulators

    Updated Twelve farm labor, advocacy, and repair groups filed a complaint last week with the US Federal Trade Commission claiming that agricultural equipment maker Deere & Company has unlawfully refused to provide the software and technical data necessary to repair its machinery.

    The groups include National Farmers Union, Iowa Farmers Union, Missouri Farmers Union, Montana Farmers Union, Nebraska Farmers Union, Ohio Farmers Union, Wisconsin Farmers Union, Farm Action, the U.S. Public Interest Research Group, the Illinois Public Interest Research Group, the Digital Right to Repair Coalition, and iFixit.

    They contend that Deere & Company owns over 50 per cent of the agricultural machinery market in the US and has deliberately restricted access to its diagnostic software and other information necessary to repair its products in violation of the Sherman Act and statutes covering unfair and deceptive trade practice. And they're asking the FTC to intervene by putting an end to these practices.

    Continue reading
  • Conti ransomware gang's source code leaked
    Latest info dump days after anonymous outing of 60,000 messages

    Infamous ransomware group Conti is now the target of cyberattacks in the wake of its announcement late last week that it fully supports Russia's ongoing invasion of neighboring Ukraine, with the latest hit being the leaking of its source code for the public to see.

    This disclosure comes just days after an archive leaked containing more than a year's worth of instant messages between members of Conti, believed to be based in Russia: we're talking 400 files and tens of thousands of lines of internal chat logs written in Russian. The internal communication files include messages that run from January 2021 to February 27 of this year.

    Conti announced on February 25 that it was giving its "full support" to Russia's attack on Ukraine, adding the threat that, "If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use our all possible resources to strike back at the critical infrastructures of an enemy."

    Continue reading
  • Malaysia tweaks copyright law to hit streamers of copyright-infringing content
    Those enabling piracy may be guilty until they prove otherwise

    Malaysia's House of Representatives has passed an amendment to a 1987 Copyright Act that makes enabling illegal streaming punishable by fine, prison or both.

    Those who facilitate copyright infringement face fines of RM200,000 ($2,377) or more, up to 20 years prison, or a combination of both, whether their illicit action be through manufacturing, importing, providing, advertising, or distributing streaming technologies.

    By specifying streaming, the amendment updates the previous outdated privacy law that focused on those downloading the content into permanent storage and those who subsequently bootlegged the videos, something that all of a sudden seems very 2008.

    Continue reading

Biting the hand that feeds IT © 1998–2022