The Full Disclosure security mailing list, which has been one of the main discussion forums for vulnerability and exploit information for 12 years, is shutting down because “‘one of our own’ would undermine the efforts of the last 12 years”, one of the creators said.

John Cartwright, one of the creators of the Full Disclosure list, posted a message on the list saying that he was suspending the list immediately because someone in the security community had asked that a large number of messages be removed from the list’s archive for an unspecified reason. Cartwright did not name the person who made the request, but said he was unwilling to take a “virtual hatchet to the list archives on the whim of an individual”.

When it began in 2002, Full Disclosure was an alternative to the Bugtraq list, which was moderated, something that annoyed some of the members. The new list was meant to be a more free-form discussion and it often included information on zero day vulnerabilities, along with exploit code, especially in the early days. Many software vendors were not too happy to have data on bugs in their products published on a mailing list, but in 2002, most of those vendors didn’t have established security response processes, bug-reporting guidelines or even email addresses to accept vulnerability advisories. Full Disclosure was a valuable source of information on vulnerabilities in all manner of software and hardware and many vendors over the years began posting their own advisories to the list.

The list had more than its share of trolls and troublemakers and it got the occasional legal threat from vendors. But Cartwright said he never thought that the reason he’d have to shut Full Disclosure down would be the actions of a member of the list and not a vendor.

“I never imagined that request might come from a researcher within the ‘community’ itself (and I use that word loosely in modern times).  But today, having spent a fair amount of time dealing with complaints from a particular individual (who shall remain nameless) I realised that I’m done,” Cartwright wrote in his message.

“I’m not willing to fight this fight any longer.  It’s getting harder to operate an open forum in today’s legal climate, let alone a security-related one.  There is no honour amongst hackers any more. There is no real community.  There is precious little skill.  The entire security game is becoming more and more regulated.  This is all a sign of things to come, and a reflection on the sad state of an industry that should never have become an industry.”

Full Disclosure appeared on the scene at a time when many vendors were not paying a whole lot of attention to security and security researchers who found flaws in their products. Posting full details of a new bug for the world to see on the mailing list was one of the few methods researchers had to get vendors to pay attention and fix their software. Now, most major vendors have formal security response processes and deal directly with researchers on a regular basis, and some have lucrative bug bounty programs to reward them for their work.

And, for researchers who would rather go another route, they can simply post a link on Twitter or write a blog post and get the word out more quickly than sending a message to a mailing list.

“Most people I know unsubscribed from Full Disclosure a long time ago. The signal-to-noise ratio is very low, and these days vulnerability researchers have no need for traditional mailing lists to publish their findings.  We have blogs and Twitter, not to mention hundreds of security conferences.  I think many will be nostalgic about the early days of Full Disclosure, but closing the list will have no noticeable impact on the industry or our ability to share information,” said Chris Eng, VP of security research at Veracode.

The end of Full Disclosure puts a period at the end of that chapter in the security industry.

“I’m suspending service indefinitely.  Thanks for playing,” Cartwright wrote.

Image from Flickr photos of Rianna_reo.

Categories: Vulnerabilities, Web Security

Comments (3)

  1. Ilia Kolochenko
    1

    The end of the Full-Disclosure list is definitely a milestone for the information security industry – a very sad one as years ago Full-Disclosure used to be one of the most reliable and popular sources of infosec/hacking information. But those days are gone and skilled hackers – both Black and White Hats – are no longer motivated to inform the public of their findings and exploits for free. They either work for vulnerability research companies like Vupen, participate in bug-bounties or simply sell 0days on the hacker black market. Obviously Full-Disclosure cannot exist without high-quality content, so I think this is why John Cartwright’s decision to suspend the Full-Disclosure list is entirely reasonable, but still sad.

    Being a regular reader of the list I also regularly see some off-topics, “holy wars”, fakes and other garbage that administration has to filter every day. So, I perfectly understand the decision to suspend this list, as managing such a list in a proper way is a titanic daily job, especially nowadays.

    Reply
  2. Conor
    3

    Chris Eng doesn’t have a clue what he’s talking about. Blogs and twitter? Yeah, great forum for people to discuss the veracity of potential vulnerabilities (you know, in one sentence) not to mention that it’d be next to impossible to find information like you would on a centralised resource like a mailing list. A blog author can just delete or hide comments if they don’t like “Full Disclosure”.

    Proposing social networks (Which are run by American companies who have data negotiating with the American government) as an alternative demonstrates nothing more than the fact that Chris Eng is completely out of touch with reality. Not that this surprises me much given Veracode’s reputation.

    The FDML has been a great _centralised_ asset for people to share information over the years. It will be a sadly missed resource. Thanks to John for holding out this long.

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>