Are McAfee’s activities unethical? Opinions are mixed

May 9, 2014 08:04 GMT  ·  By
OSVDB accuses McAfee and S21sec of violating ethics by scraping data from the vulnerability database
   OSVDB accuses McAfee and S21sec of violating ethics by scraping data from the vulnerability database

Earlier this week, representatives of the Open Source Vulnerability Database (OSVDB) accused McAfee and S21sec of scraping data from the vulnerability database without paying for a commercial license. McAfee has defended its actions, and some experts say that what the security company has done is not unethical.

Information from the OSVDB is free for individual, non-commercial use. However, in order to fund the project, companies that want to use the data must purchase a license through Risk Based Security, the OSVDB’s commercial partner.

Both McAfee and S21sec reached out to OSVDB asking for access to the data. When told about the license, S21sec representatives said they didn’t have a budget for it. McAfee wasn’t convinced that OSVDB could provide the services they had promised and even turned down a free 30-day trial.

Yet, after a while, both McAfee and S21sec were caught scraping the data without paying the license. S21sec is said to have made 3,600 requests in under half an hour, attempting to hide their tracks to a “limited degree.”

McAfee made over 2,200 requests between the morning of May 4 and the evening of May 6.

“Overall, it is entirely frustrating and disappointing to see security companies who sell their services based on reputation and integrity, who claim to have ethics completely disregard them in favor of saving a buck,” OSVDB’s Jericho noted in a blog post.

So has McAfee violated ethics by scraping the OSVDB? McAfee has clarified the incident from its point of view and apologized.

“A McAfee researcher had been tracking vulnerability updates from multiple sources using an automated web tracking program. This allowed him to monitor and manage this reference data as he worked to create exploit protection signatures,” McAfee representatives told Softpedia in an emailed statement.

“Upon learning of the organization's concerns, and the number and frequency of site queries involved, McAfee moved quickly to terminate the activity in question,” they added.

“We are committed to maintaining the goodwill necessary for a robust vulnerability research community, including the use of information sources available to us strictly under their defined terms of use. We apologize for the offense this incident has caused. We will work to educate employees to avoid such situations in the future.”

On the other hand, experts from Errata Security believe that McAfee hasn’t violated ethics when it scraped the vulnerability database, highlighting the fact that this is exactly the principle defended by the late Aaron Swartz and Andrew Auernheimer.

“[Swartz and Auernheimer] were accused (and convicted in Weev's case) of scraping public websites. And this is all that some engineer at McAfee did. We can't apply this principle when it's convenient, when it's our friends, then turn around and deny the principle to others we don't like,” noted Errata’s Robert Graham.

“If McAfee then republishes that information without permission, that certainly could be an ethics/legal violation, because that's publishing copyrighted material. But that's not what McAfee is accused of doing. They are accused simply of accessing the information.”