BugTraq’s iconic safety mailing list closed after 27 years


Image: ZDNet

UPDATE: Two days after the publication of this article, Accenture Security offered to retrieve the mailing list and make it work. Original article below.


BugTraq, one of the industry’s premier mailing lists dedicated to publicly disclosing security breaches, today announced it will be shutting down at the end of the month, January 31, 2021.

The site played a crucial role in shaping the early cybersecurity industry.

Established by Scott Chasin on November 5, 1993, BugTraq provided the first centralized portal where security researchers could expose vulnerabilities after vendors refused to release patches.

The portal has existed for many years in a legal gray area. Discussions on the site about the legality of “disclosing” security vulnerabilities when vendors refuse to patch are what shaped most of today’s vulnerability disclosure guidelines, the axioms on which most bug hunters are operating today.

Today, it seems reasonable for a security researcher to post details of a fixed or uncorrected bug, but back then those details were often controversial, sometimes resulting in numerous legal threats.

But over time the popularity and principles of BugTraq won out. The portal became the first place where many major vulnerabilities were announced at a time when researchers could not easily host personal sites and blogs.

Similar bug disclosure lists have been published based on BugTraq’s original model, and many security companies founded over the years have often ended up scratching site content as the basis for their own vulnerability databases.

BugTraq’s disappearance

BugTraq himself also traded hands several times, from Chasin to Brown University and then to SecurityFocus, which was acquired by Symantec.

The portal’s demise began in 2019 when Broadcom acquired Symantec. Three months later, in February 2020, the site stopped adding new content, mostly remaining an empty shell.

Today, the last maintainers of the site confirmed the current state of things of the portal and formalized the passage of BugTraq in the infosec tradition.

“At this time, the resources on the BugTraq mailing list have not been prioritized, and this will be the last post on the list,” the post read.

Although many saw it coming, the site’s announcement sparked a wave of nostalgia among today’s cybersecurity veterans, many of whom have started or have been active on the mailing list since its launch.

“I would compare this impact to the current impact of Twitter on the way we communicate today,” said Ryan Naraine, former director of security strategy at Intel and one of the veterans of the cybersecurity industry. .

“Except it was compulsory to be there [on BugTraq] for opinions and live commentary from what was not yet a fully formed security industry.

“So many great stories were originally announced in BugTraq and FullDisclosure [another similar mailing list]”Naraine added.

“This is where the Litchfields first made their name. I remember David Litchfield constantly giving up on hacking tools and Oracle research.

“It was the water cooler that connected what was emerging as a security industry.”



Leave a Reply

Your email address will not be published.