New business model for open-source network scanner

New business model for open-source network scanner

Users of the Nessus vulnerability scanner, the popular open-source tool managed by Tenable Network Security Inc. of Columbia, Md., have been presented with a new menu of options for updating vulnerability signatures.

For the first time, users demanding immediate updates and full access to the library of plug-ins will have to pay an annual fee. Users who can wait for seven days can continue to get the plug-ins free.

The policy was structured to affect primarily commercial competitors of Tenable who use Nessus.

'We wanted it to be benign for users,' said chief operating officer Jack Huffard.

The move is a bid for recognition rather than money, said president and chief technology officer Ron Gula.

'The complaint is that we're doing it for money,' Gula said. 'We're not. If we were, we would just have taken Nessus to closed source.'

Nessus is a widely used network scanning tool that automatically checks for security vulnerabilities. It is a software product that runs on most Unix platforms. Vulnerabilities are kept up-to-date by means of plug-ins, small programs written to identify new vulnerabilities as they are discovered.

It is an open-source tool, distributed free of charge under the GNU Public License agreement. But the software is managed and the nessus.org Website is run by Tenable.

'For all practical purposes, Tenable is Nessus,' Gula said.

Most of the plug-ins that make Nessus work are owned by Tenable.

'We've been copyrighting them for a long time, but it wasn't widely known,' Gula said.

Although Tenable does not make money from Nessus, 'it is a great marketing piece,' Huffard said. 'When we call on potential customers, it's really a warm call, because a lot of them already are using Nessus."

But the level of visibility gained from Nessus was not as high as the company wanted, and competitors using the tool for free were adding insult to injury. So in December Tenable redesigned the nessus.org Website to include the Tenable brand and announced a policy to exert greater control on the use of its copyrighted plug-ins.

Nessus itself still is a free download, but updated plug-ins are available under a three-tiered program:

  • A direct feed for $1,200 a year per scanner for commercial users, which provides immediate access to all new plug-ins.


  • A registered feed that is free for the general public and makes new plug-ins available seven days after their release to paying customers.


  • A GPL feed that does not require registration but provides only those plug-ins that are written by the Nessus open source community and distributed under the GNU public license.


The majority of plug-ins are written and copyrighted by Tenable, Gula said, making the GPL feed of limited use.

Because vulnerability scanning is done only periodically rather than continually, a seven-day wait for updates is not a major inconvenience for individual users running Nessus in their own enterprises. But commercial users of Nessus who charge for their services must keep their vulnerability libraries up-to-date, and many will be forced to pay the $1,200 fee for each scanner.

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • automated security (Oskari Porkka/Shutterstock.com)

    How to create a secure cyber environment

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group