> by uploading or posting content to the Platform and providing access to your system’s source code repository, you hereby grant to Snyk, limited to the extent it is necessary in order to enable your use of the Platform, a perpetual, worldwide, non-exclusive, royalty free and transferable licence (with right to sub-license) to, including without limitation, use, display and transmit the content and source code
You've omitted the previous paragraph:
We claim no intellectual property rights over the material you provide to the Service. Your profile and materials uploaded remain yours. However, to enable your use of the Platform, we do need to inspect portions of your code, communicate parts of it (e.g. the dependencies being used) to the Snyk servers, etc. For that purpose, by uploading or posting content to...
The omission is inconsequential. One does not require intellectual property rights to abuse "a perpetual, worldwide, non-exclusive, royalty free and transferable licence (with right to sub-license) to, including without limitation, use, display and transmit the content and source code."
A service allowing consumers to "find and fix known vulnerabilities in Node.js dependencies" certainly does not require a transferable license (especially one with the right to sub-license). A transferable license allows the licensee to freely assign the license to any other party without the licensor's consent. The wording includes the right to sub-license, allowing the same license to be granted to another third-party -- again, without the need to obtain the licensor's consent due to its inclusion as part of the transferable license statement.
Fair point, language is probably too broad (was just in the lawyers template...). Note it is "limited to the extent needed to provide the service", but can be reduced further, as we (Snyk) never had any intent to do anything more than what's needed for the service. We'll remedy that in the next couple of weeks.
The Node.js ecosystem is still fairly immature with regard to formalized security, certainly in comparison to, say, the Java ecosystem. There just aren't as many people filing CVEs on packages as a part of vetting their stacks, and certainly far fewer people focused on that part of the security process.
To a certain degree tools are only going to be as good as the security environment. If people aren't filing CVEs at an appropriate pace given the level of vulnerability out there, and it takes a village, etc, etc, then no one group is going to be able to deliver a good security service on their own, since these services are individually (a) a megaphone and filter for a CVE RSS feed, and (b) a minor source of CVEs.
> by uploading or posting content to the Platform and providing access to your system’s source code repository, you hereby grant to Snyk, limited to the extent it is necessary in order to enable your use of the Platform, a perpetual, worldwide, non-exclusive, royalty free and transferable licence (with right to sub-license) to, including without limitation, use, display and transmit the content and source code
.. No thanks.