Skip to content

Add Data Licensing Page#133

Open
maennchen wants to merge 1 commit intomainfrom
jm/data-license
Open

Add Data Licensing Page#133
maennchen wants to merge 1 commit intomainfrom
jm/data-license

Conversation

@maennchen
Copy link
Copy Markdown
Member

@maennchen maennchen commented Mar 26, 2026
edited
Loading

Fixes erlef/security-wg#58

image

TODO

@maennchen maennchen self-assigned this Mar 26, 2026
@maennchen maennchen requested review from a team March 26, 2026 16:18
@maennchen maennchen mentioned this pull request Mar 26, 2026
Closed
voltone
voltone previously approved these changes Mar 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@voltone voltone left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me: it is bit verbose, but like I said elsewhere, I think it is good to be explicit. If the boundaries are not clear, then consumers of the materials may have to err on the side of caution and assume any data may be copyrighted

Comment thread data-licensing.md Outdated
@maennchen
Copy link
Copy Markdown
Member Author

maennchen commented Mar 26, 2026

For context, here's a few example of other providers:

Source License
CVE Public domain-like
GHSA CC-BY 4.0
Red Hat CC-BY 4.0
RustSec MIT/Apache
Debian GPL-2.0
Ubuntu CC-BY-SA

We might consider CC-BY to force attribution or CC-BY-SA to force vulnerability databases to keep the same terms.

I would probably prefer to either CC0 (allow spreading wherever) or CC-BY (force attribution). I would love CC-BY-SA, but I would be scared that we'd be left out of some datasets.

voltone
voltone reviewed Mar 26, 2026
View reviewed changes
Comment thread data-licensing.md
Comment thread data-licensing.md Outdated
@voltone
Copy link
Copy Markdown
Contributor

voltone commented Mar 26, 2026

We might consider CC-BY to force attribution or CC-BY-SA to force vulnerability databases to keep the same terms.

I would probably prefer to either CC0 (allow spreading wherever) or CC-BY (force attribution). I would love CC-BY-SA, but I would be scared that we'd be left out of some datasets.

If data is shared in the context of a CVE, with the number visible, then the attribution is implicit: anyone can look up the authoritative record and see where it originated. If someone cuts snippets from our CVEs and uses them in a completely different context then I don't know if we should care. I think the most important goal is to spread this data far and wide, without any impediments. So CC0 seems fine with me

voltone
voltone previously approved these changes Mar 26, 2026
View reviewed changes
kikofernandez
kikofernandez reviewed Apr 2, 2026
View reviewed changes
Comment thread data-licensing.md Outdated
kikofernandez
kikofernandez previously approved these changes Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown

@kikofernandez kikofernandez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As mentioned before, I believe CC-BY 4.0 solves many of the known issues of CC0 in many jurisdictions. I would rather go by CC-BY 4.0, but I will approve to show that if there is a majority that prefers CC0, then the majority has spoken.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kikofernandez kikofernandez kikofernandez approved these changes

@IngelaAndin IngelaAndin Awaiting requested review from IngelaAndin

@voltone voltone Awaiting requested review from voltone

Assignees

@maennchen maennchen

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Clarify Licensing for Security Advisory Data (OSV/CVE)

4 participants

@maennchen @voltone @IngelaAndin @kikofernandez