License of the database

[mcollina]

There is a significant number of vulnerabilities listed here. However, it's not clear what is the license that data is distributed under.

cc @nodejs/security-wg @nodejs/tsc we might as well ask to the Node.js Foundation lawyers about this, as these terms should have been discussed with the original data dump for nsp.

[ChALkeR]

@mcollina The repository has MIT License, and it looks to me that the db is currently being distributed under that liicense here.

An explicit confirmation would be great, though.

[vdeturckheim]

My understanding was that everything in the repo (including the vulnerabilities) was under MIT as @ChALkeR mentionned.

We can add a clarification to the vulnerabilities README if needed.

[mcollina]

The MIT license was added as part of the repository boilerplate (#9). The vulnerabilities were added in #26, and there was no discussion about the distribution license.

A clarification in the README would be good, thanks.

[dgonzalez]

Also we need to make sure that the appropriated license is MIT (at least for the vulnerabilities). We are allowing third parties to resell the information on the DB whereas with AGPL we guarantee that tools that use the data will be open or just internal for companies.

[ChALkeR]

Any updates on this?

[joepie91]

We are allowing third parties to resell the information on the DB whereas with AGPL we guarantee that tools that use the data will be open or just internal for companies.

I'm not sure whether it works that way for data, given that the AGPL (and the MIT, for that matter) are specifically source code licenses, not data licenses.

[mhdawson]

Cross posted here: nodejs/community-committee#271 to see if we can re-use what the community committee learned about the question they had and if not get some help to resolve.

[mhdawson]

Discussed in security WG meeting. Based on feedback from Foundation and discussion we believe that MIT is the right way to go.

[mhdawson]

Vladimir will update Readme.md to make it clear that it is under the same licence after

• pinging Adam on initial donation of data
• updating readme to clarify data will be published under MIT
• ensure that HackerOne template is clear that having submitted report includes agreement to have published under MITR.

[vdeturckheim]

I checked with @evilpacket this week. MIT works for him.