Full-Disclosure Security Mailing List Closes


John Cartwright, administrator of the popular Full-Disclosure security email list, today released a bitter and pessimistic announcement that he will be suspending the list indefinitely.

Cartwright attributed the move to pressure on him by an anonymous security researcher – “one of us” – to remove large amounts of archival content from the list. It was too much for Cartwright.

When Full-Disclosure was launched in 2002, its mission – to allow anonymous reporting of security issues, not necessarily with prior disclosure to the vendor – was more controversial than it is now. Suppliers may prefer researchers to work with them confidentially before public disclosure, but they don’t publicly complain about the “irresponsible” disclosure as they previously did.

After the announcement and some typical Full-Disclosure nonsense, the first publication of substance was “IIS double UTF decoding bug (old) exploit: IIS explorer”. This was an old vulnerability, but the release included a child-friendly PHP scripting exploit.

The signal-to-noise ratio on Full-Disclosure has at times been low over the 12 years of the listing. This set him apart from moderate lists like Bugtraq. But once Full-Disclosure appeared, things tended to happen first.

But things are changing quickly in this industry, and Full-Disclosure is no longer where the action is. When security news gets released now, it gets posted somewhere on Twitter first and spreads there first.

As Tod Beardsley, Engineering Manager at Rapid7, says, “… today we have lots and lots of high quality alternatives. [to Full-Disclosure]. Damn, just have one Twitter or the Google News keyword “Metasploit” and you’ll get some pretty decent information on what the world is watching. Projects like OSVDB and Exploit-DB also perform very well in the role that FD played the pioneering role in ensuring that public access to vulnerabilities is always possible. ” [Note: Metasploit, a tool for building and executing exploit code, is a product of Rapid7.]



Leave a Reply

Your email address will not be published.