Nessus 3.0 discussed

An anonymous reader writes "Nessus is one of the world's most popular (open source) vulnerability scanners, used in over 75,000 organizations world-wide. Many of the world's largest organizations are realizing significant cost savings by using Nessus to audit business-critical enterprise devices and applications. With the recent news of going closed source Ron Gula took a few minutes to talk to SecurityFocus. From the article: 'I speak to a lot of different open source project managers and they say similar stuff -- it's mostly free users and not really code contributors.' What would happen now? Nessus 3 will provide an average 5x speed improvement compared to the old, but open source, 2.x version, and a lot of new features."

GPL resistance?

[dada21]

What is the primarily reason that corporate policy precludes using GPL'd software? I thought the friction was reduced in the most recent GPL version. Is this being addressed in the next GPL?

I know some consider it broke, but Nessus is fairly popular, and the GPL resistance seems a key reason for going closed source.

Re:GPL resistance?

[dada21]

But are most users incorporating Nessus code or are they using Nessus as a standalone product?

I'd assume utilizing GPL'd software in a standalone fashion should have no bearing on your output, right?

Re:GPL resistance?

[fpu]

Fyodor (author of NMAP) posted about Nessus going closed source in the nmap-hackers mailing list some weeks ago. It seems that Teenable's main point is not GPL-resistance from the enterprise customers, but rather the fact that there has been almost zero code contributed to Nessus, and that by providing its source, they were helping a lot of companies that could be classified as their competitors. I, for one, can see their point, even if I am a strong advocate of free software (free as in FSF, not OSF).

However, as has already been stated, that does not mean this is the end of free Nessus -- it will still be free, except we no longer will be able to look under the hood. Since many of us automate Nessus directly through the command line client and parsing of NBE files, I believe that this will impact very little even power users.

Re:GPL resistance?

[Kjella]

Because the GPL is virial is nature. If one of your developers links the sourcecode of your flagship product with a GPLed library, your flagship product now must be released under the GPL... It may sound like FUD, but it's also true...

My, what a classic troll. Almost antique. Distributing without a valid license could lead to civil and criminal penalties, but never to forced release of code. Complying with the license afterwards would have no influence on your legal liability. The developers may offer to drop the lawsuit in return for complying instead of suing for $150,000 / incident, like the RIAA/MPAA. In other words, OSS developers are typically extremely forgiving compared to other copyright holders.

Re:GPL resistance?

[Master+of+Transhuman]

"there has been almost zero code contributed to Nessus, and that by providing its source, they were helping a lot of companies that could be classified as their competitors"

First, the two points are independent.

And the first one is almost irrelevant. Who cares if nobody contributes to your OSS project? That's irrelevant to anything. Naturally, due to the nature of the concept of OSS, it would be BETTER if a community of developers appears and supports the project - that's the advantage of OSS over proprietary. But it's not a requirement per se. In fact, however, it usually indicates that there is a REASON for this - which might be how the project is run, the technical difficulty of the project, the niche market for the project, or any number of things - some of which might be solvable, some may not.

The second point is just a refutation of the concept of OSS: instead of trying to make money from support or other business models using OSS, just dump the concept and go back to being proprietary. It's NOT A REASON, it's a CHOICE!

And again, it goes back to the what and how of the project. Does Linus complain that Sun uses Linux while producing OpenSolaris - arguably a "competitor"? Granted, Linus doesn't view himself as a "competitor" in business against Sun - he's simply a developer who wants to advance the state of the art in OS building.

The problem is, the Nessus guy does view himself as a competitor in a closed market. He wants to use Nessus to produce other security software and sell it. He views everybody else who uses Nessus to produce other security software to sell as "competitors". Well, they are - if that's your business model.

It's an issue of perception, however, not necessarily reality. It's also an issue of whether you feel you can BE competitive on a level playing field - obviously this guy doesn't.

That doesn't make his choice the right one - it's just his choice. I think it will cost him in the future.

Open source doesn't mean you don't have competitors. Every project stands or falls on its merits in the marketplace of ideas. That's why we have something like a thousand Linux distros - most of which are utterly irrelevant to most users and utterly irrelevant to the position of Linux in the marketplace of users.

And open source as a SOURCE of business models is not different. The question is whether you can develop a business model that allows you to make money - or even get "rich" (whatever "rich" means to you), if you're smart enough - and that's really not relevant to open source as a development model.

Some people deride open source as a bunch of geeks working for free while somebody else gets rich off their efforts. While this may in fact happen on occasion, it isn't a direct consequence of the OSS development model.
The only place where it might be an issue is in developing something that can be seized on by a company like Microsoft which ALREADY has an monopoly position due to its closed source model and its business practices and then turned against the OSS developer. The GPL was intended to prevent this by disallowing the incorporation of OSS software into a proprietary product and closing off access to the source.

But the GPL says nothing about somebody taking an OSS product, incorporating it into a different (preferably better) OSS product, and thus obsoleting the original OSS product. The OSS COMMUNITY says that you SHOULD return value to the original OSS product. But that doesn't always happen, nor should it always happen.

If you develop an OSS product, and try to make a business out of it, you should be smart enough to assume that other people will take your product and try to develop a business around it as well - and conduct yourself accordingly. If you believe in the OSS model, you can find ways to continue to develop using that model and still compete effectively.

The Nessus guy just doesn't believe in the OSS model, it's that simple.

Re:GPL resistance?

[rxmd]

And the first one is almost irrelevant. Who cares if nobody contributes to your OSS project?

I guess the project developer certainly does.

But the GPL says nothing about somebody taking an OSS product, incorporating it into a different (preferably better) OSS product, and thus obsoleting the original OSS product.

If I understand correctly, the competition wasn't exactly from competing OSS projects, rather from companies providing services around the system that he built. In effect, he had a hard time competing with them, because he had to develop the software, while his competitors in the service arena just used the software he developed. As far as I can see, this is a perfectly legitimate point.

The Nessus guy just doesn't believe in the OSS model, it's that simple.

You could also put it that way: he tried the "OSS model", it cost him while providing zero benefit, so he drops it again.

Open source really should be a two-way street. If the community only takes your work to profit from it and provides very little in return, there's no incentive for a developer to do open-source work.

Re:GPL resistance?

[Master+of+Transhuman]

While I agree that OSS should be a two-way street, it doesn't require EVERYBODY using an OSS product to contribute to the project.

The idea that all users should be developers is nonsense. "Contributors", perhaps - "Here's a feature we'd like you to provide" - but even there, some people may use a product and be perfectly happy with what it does and not need anything else.

You can't say they can't use it just because they don't contribute to the project. That's just making a contract law substitution for a monopoly - "You can't use this unless we benefit directly." How is that different from the RIAA and MPAA wanting to license every possible meaning of fair use to produce revenue?

It's normal that humans do this - no human can possibly allow any other human to somehow profit from the first one's actions. It's just not human nature. But it's not rational and it doesn't work to the benefit of the species as a whole, and thus it doesn't work to the benefit of most individuals, due to the economic effects.

As for people developing services around the product that compete with the developer's own services, this is, as I pointed out, irrelevant to the OSS model. It's the BUSINESS model that matters here, not the development model. So he closes the source? So what? Just because he speeds up Nessus by a factor of five, does he think no one else will? If somebody forks version 2 and speeds it up by 5, his competitors can use that version to continue to compete with him. It's totally irrelevant whether the source is closed or not in that regard.

The OSS model did NOT "cost him" - his business model - or lack of one - is what cost him.

Re:GPL resistance?

[Tony+Hoyle]

Not really, what he said *is* true.

If your application links with *any* gpl code it cannot be distributed without making the whole application GPL. That's the reason for corporate policies against using GPL software - the risk is too great.

'complying with the license afterwards' == 'release your software as GPL'. Not acceptable - and most companies would *prefer* to pay $150,000 per incident than do that.

Re:GPL resistance?

[LurkerXXX]

So he closes the source? So what? Just because he speeds up Nessus by a factor of five, does he think no one else will? If somebody forks version 2 and speeds it up by 5, his competitors can use that version to continue to compete with him. It's totally irrelevant whether the source is closed or not in that regard.

It certainly is relevant. Now his competitors have to put in the effort to try to figure out how to speed it up by 5 and spend a LOT of their time coding. That puts it on a much more even level than him doing all the work for them.

OSS *IS* the problem with his previous business model.

Hold your horses

[xfletch]

Before the open source hordes come rampaging it is worth noting that Nessus is still free.

Nessus 3 will be free of charge for end users or service providers or consultants to do whatever they want with it, except put it into a product or re-brand it as their own software.

They are looking to make money on their support of the product, which is a well astablished model.

Re:Hold your horses

[Kjella]

They are looking to make money on their support of the product, which is a well astablished model.

And fully possible without closing the source. The name can be protected by trademark, and people will rather have the developers supporting it than someone else. Besides, there is no reason to assume it will continue to be free. Basicly, it's no longer an OSS project, it's freeware given away by a business. Been there, in general rarely been happy with it. Expect NessusPlus for $$$ soon.

Re:Hold your horses

[paranode]

Yeah but they closed the source because competitors were getting all of the fruits of their development for absolutely nothing. Once you move out of the 'useful little app' phase and into something that people are seriously interested in for the large scale, it's time to reconsider giving your product away for free so somebody else can make money off of it. Most people would call this success though I guess the grumpy OSS zealots hate to see 'free' software developers actually get paid for their work.

Re:Hold your horses

[Sancho]

As I understand it, the company was getting no return on the GPL investment. That is, they weren't receiving many, if any, patches from their users. And what's worse, their competitors were taking their ideas and innovations and using them in their own products.

I like having the source available to me, but some people aren't in it for the humanitarian aspect. The owners saw no benefit for releasing the code under the GPL and were having some detremints, so they stopped.

More info links

[lampiaio]

Wikipedia entry
Official Website

sorry, bad karma makes people do this kind of post...
:(

Seems simple enough...

You own the project. You can decide whether it's open source or not.

However, some questions:

1. Can someone more familiar with the licensing process elaborate on the pandora's box here?

Imagine that you are a code contributor who in **good faith** contributed a patch or entire modules under the assumption that such contributions were going to be under that open source license. Now that the company pulls the source and closes it down, does that mean they took your work and will use it for their closed source purposes without your consent? Profit from it? Can you revoke their access to it? I can't imagine that such licenses have a statement of what happens to the code once it leaves your hands and goes into the archive... Imagine: "All your work becomes property of our CVS tree and cannot be returned if the tree becomes closed."

2. Why wouldn't they just keep the CVS tree accessible by main developers and give only those important people commit access?

Like pretty much any large project (*BSD, Linux kernel) does? Yep, I know -- they make it so those without such access cannot check out code just to see if they want to be part of the project in the first place. But could they be convinced if enough people show interest? I guess that's the problem -- too many users, not enough developers or users with enough motivation/ability to make useful changes and additions.

3. How long until we see OpenNessus or (insert clever derivative name here)?

Just like other projects with licensing/source/philosophical issues - make a fork of the last available code and try to go their own way. Just like OpenBSD from NetBSD, IPCOP from Smoothwall, etc. etc.

Just curious.

Re:Seems simple enough...

[eht]

1. Many open source projects require you to transfer copyright of any submitted code to them, not to sublicense it to them under your choice of code.

MySQL for example will license you their source in either GPL or non-GPL varieties so that you can incorporate it into your software to resell and not provide a license, they can dual license because they own all the code, they could not dual license if someone had submitted code under the GPL to them.

They also seem to have not had very many people contribute back to them.

2. They can't close up the GPL'd source any more than you can because they've already released it, but now future improvements won't be released to the public.

3. In about as long as it takes for someone to register a domain and post the code. Whether or not it will be developed much is really the question.

One of the problems the Nessus team faced is that they would sell support, but because the project is open source and available to anyone, anyone else could also sell support, or make their own improvements and rent out "Nessus servers", this is one of the holes hoped to be "closed" by the next version of the GPL, but we'll see.

Re:Seems simple enough...

[penguin-collective]

Now that the company pulls the source and closes it down, does that mean they took your work and will use it for their closed source purposes without your consent? Profit from it? Can you revoke their access to it?

If the project is (L)GPL and you contributed under the GPL, they can't close the source.

If the project is, say, MIT, X11, or BSD licensed, and you contributed under one of those licenses, then they can.

I guess that's the problem -- too many users, not enough developers or users with enough motivation/ability to make useful changes and additions.

There is no problem; a project like Nessus shouldn't need more than a handful of developers. However, a large user community is still useful: they act as testers and generators of ideas.

How long until we see OpenNessus or (insert clever derivative name here)?

I would guess fairly soon. Personally, I'd like to see a rewrite, though, and a better UI.

Re:Seems simple enough...

[m50d]

Imagine that you are a code contributor who in **good faith** contributed a patch or entire modules under the assumption that such contributions were going to be under that open source license. Now that the company pulls the source and closes it down, does that mean they took your work and will use it for their closed source purposes without your consent? Profit from it? Can you revoke their access to it? I can't imagine that such licenses have a statement of what happens to the code once it leaves your hands and goes into the archive... Imagine: "All your work becomes property of our CVS tree and cannot be returned if the tree becomes closed."

Depends on the license. Some things, such as the linux kernel, just want you to license it under GPL to them, in which case they're going to have to write a replacement for your part. But other projects require you to assign copyright to them - mysql and qt do this so they can release closed-source versions, but also e.g. the FSF requires assigning copyright so they can enforce violations better. I imagine Nessus required assigning copyright, otherwise a license change like this would be impractical. But then again, the reason for this is apparently that they were getting very few code contributions, so maybe the author has just rewritten everything that was contributed.

Just like other projects with licensing/source/philosophical issues - make a fork of the last available code and try to go their own way. Just like OpenBSD from NetBSD, IPCOP from Smoothwall, etc. etc.

It's happened already. http://sf.net/projects/segusius

Re:Seems simple enough...

[allan_q]

If the project is (L)GPL and you contributed under the GPL, they can't close the source.

Unless all contributors agree to re-license their work. IANAL, but I think this allows future versions to be closed.

This only goes to show...

[TechnoGuyRob]

...that as technology grows more and more sophisticated, companies will start outsourcing more and more. It used to be affordable to hire a guy or two as permanent company staff to manage your website or network servers. But now you need to ask an entire different company to provide you the services necessary for network administration.

Hopefully, Nessus 3 will also solve some of the problems Nessus has been having. According to Wikipedia, "some of Nessus's vulnerability tests can cause vulnerable services or operating systems to crash." For those who are wondering, Nessus scans vulnerabilities mostly on the application and network layer. Usually it port scans open ports for vulnerabilities, and looks for various network problems such as computers on promiscuous mode, etc.

For any of you network admins out there, a friend of mine has a medium business LAN and has been using Nessus, and it's working very smoothly for him; however, I recommend looking more into it before making any quick decisions based on Slashdot articles.

Re:This only goes to show...

[redmoss]

If there are Nessus tests that can cause a service or OS to crash, then that service or OS has an urgent security vulnerability that needs to be fixed. I wonder whether these vulnerabilities have been posted to Bugtraq and the like? Or maybe they are widely known, but the companies who produce the vulnerable product never fix it?

even though it's still free

[know1]

the sad thing about closed source is there is no way to tell what info is being sent back to the manufacturer, a la microsoft.

Re:even though it's still free

[Cheapy]

The sad thing about open source in this case is that people were just using it and not contributing back. Maybe if some people pledged to contribute if the source was released, things could change.

End of the day, you don't eat good intentions

[xtal]

It's unfortunate it went closed source versus a service-supported model, but in the real world, there's cheques to sign. If one group is doing the efforts and not being compensated, that's the cathedral model, and cathedrals have collection plates. Open source works best when users are developers. That also explains the state of most of the user interfaces on the more complicated projects. (sarcasm, but with a grain of truth)

Something else I've noticed is open source works well on widgets and shared components and APIs. Once the toolset becomes very focused and vertical in appeal, the model works less well - unless the users are also developers.

It will be interesting to see how the forked version works.

Smoothwall has done a good job with their approach. We'll see how it continues in the future.

Wrong

[Lifewish]

They wrote effectively all of V2, they can do with it as they wish (the GPL is a nonexclusive license, hence the success of dual-licensing). The only hairy issue is patches from the FOSS community, but apparently those were few enough to be handled on an individual basis or something.

Re:Wrong

[say]

If you study FSF's GPL howto, you'll notice how important it is that you first preserve your copyright of the code, then GPL it. This is to establish that you - the copyright holder - choose to do the GPL on your own rights. Notice how this only works because yo own the rights yourself.

You can obviously withdraw this later, but people who have used/copied/improved/whatever'd your code won't be forced to stop using it. This is specifically stated in the GPL. But I can take what I own the copyright for, and release that (or a derivate) under a different (non-GPL-compliant) license.

So the licensor is obviously not bound by his own rules. He defines the rules, because he is the licensor. The code he has released can't be recalled to his command, but he can do what he wants with his own copy. Contributions to a GPL project is often copyright-transferred to the project maintainer, which would make the above apply to them as well. If not, individual agreements would have to be made if Nessus wants to bring them into v3.

Re:Wrong

[Yaztromo]

But even one segment of code from an outside author, released to them under GPL, would require the release of their SW's source under the included code's GPL.

The simple solution to which is simply to remove the contributed code completely, and independently re-implement its functionality (if having that functionality is desired and/or necessary).

I had to do something similar (but for a release in the opposite direction -- from closed source to OSS) for the jSyncManager Project. The version 1.0 series was coded entirely by myself, and was only ever released as closed source software (albeit as 100% free-as-in-beer software via the web; I completed v1.0 of this project as a thesis project, and felt that getting outside help by allowing others to inspect and comment on the code might have been considered "cheating" by some). A few weeks after v1.0 was released, I was hired by IBM Canada as a software developer.

The problem then became that nasty contract provision you have to sign when you join a company like IBM: the "what's yours is ours, and what's ours is ours" agreement, which basically states that anything you develop while employed by the company, even if it is completely on your own time and uses nothing learned from your employment at the company, belongs to the company. Fortunately, I was able to list existing technologies I had developed prior to joining IBM on said contract -- they were exempt so long as I stopped working on them while employed by the company.

There was, however, significant interest in the technology within IBM, and an IBM branded version called "ManplatoSync for Java" eventually made its way to IBM's alphaWorks website. It included a significant rewrite of the GUI code, along with some new functionality, parts of which were contributed by other IBM employees. The intention was always to release the sources under the IBM Public License -- but the legal eagles who had continuing discussions (which I wasn't part of), and kept holding off on a source release (the whole discussion of which apparantly died once I was released from the company).

When I was later let go from the company, and free from their restrictions as to what I could and couldn't work on, I decided I wanted to release the jSyncManager as Open Source Software. But I couldn't just take ManplatoSync for Java and re-brand it back to the jSyncManager -- it was encumbered with IBM copyrights. I couldn't even retain functionality since jSyncManager v1.0 which I myself had written in those intervening 2.5 years, because it too was considered IBM property (nevermind the fact that I wrote it and didn't get paid one single red cent by IBM for any of it. Indeed, when I was later invited to speak on the technology at various conferences, the company forced me to use my own vacation time to do so).

At that point, I had two choices: give up and find something else to work on, or suck it up and go back to the pre-IBM sources and work from there. And that's what in the end I decided to do: I took my pre-IBM sources, made them Open Source, and then worked my ass off to re-implement all of the lost functionality (along with a lot of functionality that the IBM releases never had, like USB device support and network data synchronization), and released it all as GPL/LGPL software.

The Nessus team could very well have elected to do something similar -- just strip out any external contributions, and then work from there. The unfortunate thing about going from Openn Source to Closed Source, however, is that contributors are now forced to take the teams word for it that they stripped out any such contributions (assuming that they didn't re-assign copyright to the Nessus project when they were submitted -- something I've never asked any of my contributors to do), as you can't look at the source to see if your code is still in it (i

Re:Wrong

[Yaztromo]

I'm curious why you released the source under GPL, and whether that worked out as you expected.

There were a few factors which played in this decision:

• I was fresh out of work, and needed a project to keep me busy,
• I didn't want to wind up in a similar situation with my next employer. By releasing the code as GPL/LGPL, and putting it on SourceForge, at least it couldn't be buried in a filing cabinet somewhere, even if I weren't permitted to work on it anymore (and with more and more employers in the computer industry permitting their employees to work on OSS projects on their own time, I was hoping that by being OSS when joining any such company I could potentially continue to work on the project under such a framework),
• Perhaps most importantly, the project was getting too big for just one person to work on. I needed outside help, but didn't have the money to pay people to work on it. Nor did I think it would be feasible to make it into a commercial product (although corporations are our biggest base of users, the jSyncManager is a tool that only a small fraction of a percentage of corporations have a need for, so finding customers would have been extremely difficult and expensive. The corporations which use the jSyncManager are spread all around the globe, with the majority of them overseas. Being Open Source made it easy for them to find us and try out our code with no layout of funding from me -- under the closed source model I would have had to spend a pile of money on all sorts of advertising just to find these customers in the first place)

How has it worked out for me? As with anything, there have been upsides and downsides. On the upside, in the end I have made some money from the project, through being hired as a developer and consultant in implementing it for a medical data system. I'm not making anywhere near what I did as a developer at IBM, but it's sufficient to live off. It's also allowed me to make some contacts and open some doors -- it's quite easy for me to show an organization my experiences in managing a diverse, dispersed team developing a fairly large project, and they can also see the overall project (and code) quality.

On the down side, I know what it's like for a project to have more users than contributors. I'm still the largest contributor to the project, and do the vast majority of the work (although this itself has increased and decreased over time -- some contributors come and go, while others have become too busy with their professional lives to contribute on a regular basis, but still follow the project). External contributions are very rare (but are greatly appreciated whenever they are given!). I can pretty much always use more help -- as it is right now, I do the vast majority of coding, administration, technical support, releases, and documentation. And as I do have responsibilities outside the jSyncManager Project, this often means that development appears to be very slow (it has been more than 2 years now since our last "final" release, although we have had a number of alpha and beta releases since that time (part of the delay being due to some time I served in the Navy and was unable to do any development)).

It also doesn't completely help that the very devices they project is designed to communicate with (PalmOS based handhelds) have been seeing a diminishing market share. It's always easier to find contributors and users when your target audience is increasing, rather than when it is decreasing (although a decreasing share can have an interesting bubble-effect, as those who are still embracing such a technology look for groups they can partner with for a reliable, medium-to-long term solution. Open Source is very attractive in this area, as you never know when a commercial, closed source partner might go out of business, or stop offering the product or support your organization needs).

So, as with anything, you have to take the good with the bad. My eperiences seem to have tended towards the good, although the benefits aren't always immediately tangible.

Yaz.

open source != open source project

[penguin-collective]

'I speak to a lot of different open source project managers and they say similar stuff -- it's mostly free users and not really code contributors.'

If your open source project is popular but you don't manage to attract contributors, the fault is likely with the people managing the open source project: any popular project potentially has hundreds of contributors.

Just writing software, making it open source, and having it become popular doesn't create an "open source project"--you have to design and manage the project as an open source project. You have to make it easy for people to contribute, organize the code appropriately, be nice to potential contributors, and give people an incentive to contribute.

(Just one data point: last I looked at Nessus, it didn't look like a good foundation to build on for our needs.)

So Here's The Deal

[Effugas]

OK, so this is a fairly painful post to make. Ron Gula and Renaud Deraison were the first guys to bring me out for an interview after I graduated from college, and I've been supporting their attempts to manage those who really do just steal Nessus. But, in the interest of intellectual honesty, I've been asking around regarding the closing of the Nessus source.

First of all, according to multiple sources, apparently the reason why there isn't a significant number of free plugins is because Renaud et al simply don't accept them, or when they do accept them, they substantially rewrite them enough such that a non-free version is what eventually makes it into the source. Now, I don't know this from personal experience -- and Renaud et al are welcome to deny this -- but this preference for suppressing the GPL component of Nessus has been strong enough that contributed free plugins have been suppressed because of overlap with non-free.

Such behavior does not grow a developer community. Tenable has implied that there's alot of leeches out there, and while indeed they have to suffer the most pernicious of parasites (companies that just rebrand their code!), there's good evidence that says the reason they don't get much code from the community is that they supposedly refuse what they do get.

I wouldn't speak up on this, but I have to balance my continuing appreciation for Renaud et al's work (which, mind you, still has a very nice license for our needs) against the need to stem accusations that nobody ever tried to give back to Nessus. People have tried.

What do you mean, "Funny"??

[lampiaio]

"Funny" gives me no karma points! Get those informatives moving!

Re:I got some interesting results on my PC

[Master+of+Transhuman]

Switch to Linux - I assume that was the last output Nessus put up on the screen before the PC left...

There is a fork

[timbrown]

Speaking as one of the folks behind the OpenVAS (www.openvas.org) fork, there are plenty of people interested in maintaining an open source alternative. Interestingly many of these people have attempted to work with Tenable in the past and have had their contributions ignored. IMO Tenable didn't understand how they could make money off the Nessus project without closing the source.

As a side point, it would be interesting to understand how Tenable have dealt with contributions that they did accept for version 2 - have they been removed completely from version3?