Hello!
Thank you for https://secdb.alpinelinux.org/ service, it is very useful. In our company we are planning to build a security scanner for our customers, so we're interested in using data of this service.
However, I'm wondering about using it in a commercial product because I'm not sure in license terms for the data of this service. I would like kindly ask your confirmation if we can use the feed data in our commercial product. If there are any license or any other terms that we need to comply with please do share it with us.
Could you please also tell, which service is preferable for taking information about fixed CVE in packages, secdb or https://security.alpinelinux.org/ ?
Sincerely yours,
Grinkevich Liubov, Yandex.Cloud developer.
Hello,
On Fri, 4 Jun 2021, Liubov Grinkevich wrote:
> Hello!
> Thank you for https://secdb.alpinelinux.org/ service, it is very useful. In our company we are planning to build a security scanner for our customers, so we're interested in using data of this service.
> However, I'm wondering about using it in a commercial product because I'm not sure in license terms for the data of this service. I would like kindly ask your confirmation if we can use the feed data in our commercial product. If there are any license or any other terms that we need to comply with please do share it with us.
Kevin has brought this up to discuss amongst the security team. Right
now, we don't have formal meetings, but rather choose to work issues
through weekly sprints. It is true that the secdb lacks licensing data,
but our intention is for it to be released under Creative Commons
licensing, so you should be able to use it in your product without issue.
So in the interim, feel free to use it under those terms. We will attach
licensing metadata in this week's sprint in any case.
> Could you please also tell, which service is preferable for taking information about fixed CVE in packages, secdb or https://security.alpinelinux.org/ ?
Please use secdb for bulk querying. If you need the data enrichment that
the secfixes-tracker service provides, you should set up your own if you
plan to do bulk querying, as the infrastructure team has made it clear to
us that they plan to ban anyone who does bulk querying to the
secfixes-tracker service.
Ariadne