Nessus no longer open source

Ted Mittelstaedt tedm at
Thu Oct 6 12:58:18 PDT 2005

This happened with the SAINT scanner also, however they didn't have the
decency to keep an older release train going under GPL.  SAINT was a
rework of SATAN which was released open source, making that a
bitter pill.  I believe when SAINT did this, that was what gave the
impetus to
Nessus to become popular.

Security scanning as an esoteric field and not a lot of people are true
however there's a huge demand for it from some very deep pockets.  Thus
this kind of thing is inevitable.

One of the duties of the OSS market is to serve as a spawning ground for
commercial software packages.  There was a huge amount of commercial
software born from the BSD code, and in fact a number of the BSD
utilities made it into Windows - including their BSD copyright notices in

Consider also that the military would almost certainly not want to use an
open source scanner because that gives the enemy a list of what
you know about, and what ones you possibly don't.  I can think of a
of other deep pockets like VISA that are the same way.  Closing the
for Nessus 3 will open it up to consideration by a number of customers
would have been prevented from using it.  Almost certainly the research
in the
vulnerabilities that go into Nessus 3 will trickle into Nessus 2
eventually.  So
this move, far from being a blow to OSS, actually strengthens it.  If you
to bitch about something then bitch about SAINT.


>-----Original Message-----
>From: owner-freebsd-questions at
>[mailto:owner-freebsd-questions at]On Behalf Of Gayn Winters
>Sent: Thursday, October 06, 2005 9:04 AM
>To: freebsd-questions at
>Subject: Nessus no longer open source
>One of the highest rated open source security programs, nessus, will no
>longer be open source.  Quoting from an email from Renaud Deraison
><rderaison at> to nessus-announce at,
>"Nessus 3 will be available free of charge, including on the Windows
>platform, but will not be released under the GPL.
>"Nessus 3 will be available for many platforms, but do understand that
>we won't be able to support every distribution / operating system
>available. I also understand that some free software advocates won't
>want to use a binary-only Nessus 3. This is why Nessus 2 will
>continue to be maintained and will stay under the GPL."
>I'm not sure if Nessus 3 will be supported as a FreeBSD package.
>Apparently the folks at Tenable feel that they have been supporting the
>open source community but have been getting little back in plug-ins and
>vulnerabilities and virtually nothing back on the scanning engine for
>over six years. In fact, they have been slowly tightening their
>licensing (cf.
>, and
>it would appear that they can and will continue to tighten it over time.
>Fyodor's analysis
>( is that
>the open source community should take heed.  He provides a list of ways
>to contribute to open source software projects.  While the list is
>excellent, there are no new ideas in it.  The thing that seems germane
>to the FreeBSD community is that ports, even extremely popular ones, are
>vulnerable, since under the GPL the AUTHOR of the code is not bound by
>the same restrictions that the users are.  I'm not a lawyer, but as I
>understand it, the author can create a derived work of something under
>the GPL and license the derived work (a "rewrite" in the case of nessus
>3) and arbitrarily restrict it.  Given Renaud's claim that no one
>contributed to the scanning engine, he seems to have every right to
>create a new and closed version of it.
>The moral here, if there is one, is that if you really like a port, then
>you should contribute to it one way or another!
>freebsd-questions at mailing list
>To unsubscribe, send any mail to
>"freebsd-questions-unsubscribe at"
>No virus found in this incoming message.
>Checked by AVG Anti-Virus.
>Version: 7.0.344 / Virus Database: 267.11.9/116 - Release Date:

More information about the freebsd-questions mailing list