Web Devout tidings

I just realized today that I hadn’t seen any Secunia vulnerability updates in a long time. I knew they had done some site redesign work, and I figured they just changed the URL of the RSS feed. So I sat down at my computer to find it, but there didn’t seem to be one anymore. A quick hop on Google led me to this forum post explaining that Secunia no longer provides a free RSS feed for vulnerabilities:

As you have noticed we no longer provide our vulnerability intelligence through the Secunia RSS Feed.

Explanation:

Today a large number of businesses and governments are subscribed to the commercial Vulnerability Feed from Secunia.

Over the past couple of years, Secunia has noticed that numerous businesses and governments have signed up for the Secunia RSS feed, as a result there has been a loss of revenue for Secunia which has limited us in our endeavors on providing sustainable and quality solutions.

It is naturally not fair toward our customers that larger IT departments are receiving intelligence free of charge – using our RSS feed – as others would have to invest in it.

The service that will replace the need for our RSS feed, will be the Secunia Vulnerability Intelligence Feed – VIF. This is naturally a commercial solution, please see attached PDF for further clarification.

In my opinion, this was a very dumb move by Secunia. Keep in mind that the RSS feed didn’t provide anything that wasn’t already public; it just provided it in a different format. In a few minutes, I could write something that generates a similar RSS feed from the HTML output of Secunia’s website (although their terms of service are also excessively heavy-handed about this). This is a common sense usability feature, not a product that should require a paid subscription. For Secunia to restrict its availability to paying customers is akin to if Google were to suddenly make message collapsing in Gmail conversations only available to people who fork over cash.

One of the things that made Secunia so appealing to me was how accessible their information was. Now, it’s like the site is living in the 1990s. It’s a real shame when a company is willing to cripple their service like this rather than find a legitimate business model. Secunia has some very valuable assets; if their business really depends on profit from a mere RSS feed of already-available data, they’re doing something wrong.

Because of the removal of the RSS feature, my Web browser security summary page is likely outdated. I’ll go through Secunia’s advisory archives and update my data sometime soon.

A lot of new statistical information has been added to the Web browser security summary resource. Since security is a significant factor in deciding which browser to use, this resource tries to present the situation from as many different angles as possible.

There have been some more improvements to the Web browser security summary page. In order to present more perspective, all sections have now been split up into subsections that deal with advisories, vulnerabilities, and relative danger levels separately. There is also a new section of the Vulnerabilities table that shows the highest amount of open advisories, vulnerabilities, and relative danger that each web browser has had at one time.

The Web browser security summary page now includes graphs showing the relative number and severity of known unpatched security vulnerabilities in time since November 2004 in Internet Explorer, Firefox, and Opera. The graph is updated automatically as time goes on and as new security vulnerabilities are discovered and fixed.

It is interesting to note that, although usage share of Firefox and Opera continue to rise, the number of vulnerabilities seems to be in an overall decline. Meanwhile, the Internet Explorer vulnerability count continues to be on the rise.