Connect with us

Hi, what are you looking for?



Full Disclosure Mailing List Suspends Service Indefinitely

The creators of the Full Disclosure mailing list have suspended the service indefinitely due to a conflict with an unnamed security researcher.

The creators of the Full Disclosure mailing list have suspended the service indefinitely due to a conflict with an unnamed security researcher.

Full Disclosure has been a respected source of information for security experts since its founding in 2002. In a message posted to the list, John Cartwright, one of Full Disclosure’s creators, stated the decision was made due to a conflict with someone in the security community who requested a large portion of the list’s archive be erased.

“To date we’ve had all sorts of requests to delete things, requests not to delete things, and a variety of legal threats both valid or otherwise,” Cartwright wrote. “However, I always assumed that the turning point would be a sweeping request for large-scale deletion of information that some vendor or other had taken exception to. I never imagined that request might come from a researcher within the ‘community’ itself (and I use that word loosely in modern times). But today, having spent a fair amount of time dealing with complaints from a particular individual (who shall remain nameless) I realised that I’m done.”

Tommy Chin, technical support engineer at vulnerability management and penetration testing firm CORE Security, said he was disappointed by the decision but ultimately understands it.

“Over the years, I’ve seen small subforums and entire forum websites close their doors and turn off their servers due to threatening notices from legal departments,” he said. “The communities are playing it safe by not getting involved in legal issues. That valuable research information – that pot of gold – is lost forever.”

Since its founding in 2002, the list has been the site of numerous zero-day disclosures, including CVE-2013-3660, a Windows bug detailed on the mailing list last year.

“It’s sad to see an open community close; there were some very good conversations that happened there,” said Russ Ernst, director of product management at Lumension. “But at the same time, there are other avenues to share vulnerability information. The security industry is growing up; there are several white hat conferences out there, like CanSecWest, Pwn2Own and others and bug bounty programs that pay for responsibly disclosed information. When vulnerabilities are found, they must be responsibly reported to vendors that then must be quick to act on closing those holes.”

Advertisement. Scroll to continue reading.

According to Cartwright, it is getting harder to operate an open forum in today’s legal climate – let alone a security-related forum such as Full Disclosure.

“There is no honour amongst hackers anymore,” Cartwright wrote. “There is no real community.  There is precious little skill.  The entire security game is becoming more and more regulated.  This is all a sign of things to come, and a reflection on the sad state of an industry that should never have become an industry.”

“To be sure, there are personal and legal issues at play when you’re dealing with fresh zero-day,” said Tod Beardsley, Engineering Manager at Rapid7. “Going by John Cartwrights released statements, those seem to be the primary motivators for halting service. It’s sad to see it go, but just because the Full-Disclosure mailing list has come to an end, it doesn’t mean that “full disclosure” as a philosophy has ended.”

“Of course, things change,” Beardsley said. “Today, while it was possible to follow F-D, it wasn’t usually a very pleasant experience. F-D was still the place to go for the absolute latest unvetted and unmoderated vulnerability info, but today, we have lots and lots of high-quality alternatives.”

“Projects like OSVDB and Exploit-DB also very handily fill the role that F-D pioneered of ensuring that public access to vulnerabilities is still possible,” Beardsley said.


Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.