The creators of the Full Disclosure mailing list have suspended the service indefinitely due to a conflict with an unnamed security researcher.
Full Disclosure has been a respected source of information for security experts since its founding in 2002. In a message posted to the list, John Cartwright, one of Full Disclosure’s creators, stated the decision was made due to a conflict with someone in the security community who requested a large portion of the list’s archive be erased.
“To date we’ve had all sorts of requests to delete things, requests not to delete things, and a variety of legal threats both valid or otherwise,” Cartwright wrote. “However, I always assumed that the turning point would be a sweeping request for large-scale deletion of information that some vendor or other had taken exception to. I never imagined that request might come from a researcher within the ‘community’ itself (and I use that word loosely in modern times). But today, having spent a fair amount of time dealing with complaints from a particular individual (who shall remain nameless) I realised that I’m done.”
Tommy Chin, technical support engineer at vulnerability management and penetration testing firm CORE Security, said he was disappointed by the decision but ultimately understands it.
“Over the years, I’ve seen small subforums and entire forum websites close their doors and turn off their servers due to threatening notices from legal departments,” he said. “The communities are playing it safe by not getting involved in legal issues. That valuable research information – that pot of gold – is lost forever.”
Since its founding in 2002, the list has been the site of numerous zero-day disclosures, including CVE-2013-3660, a Windows bug detailed on the mailing list last year.
“It’s sad to see an open community close; there were some very good conversations that happened there,” said Russ Ernst, director of product management at Lumension. “But at the same time, there are other avenues to share vulnerability information. The security industry is growing up; there are several white hat conferences out there, like CanSecWest, Pwn2Own and others and bug bounty programs that pay for responsibly disclosed information. When vulnerabilities are found, they must be responsibly reported to vendors that then must be quick to act on closing those holes.”
According to Cartwright, it is getting harder to operate an open forum in today’s legal climate – let alone a security-related forum such as Full Disclosure.
“There is no honour amongst hackers anymore,” Cartwright wrote. “There is no real community. There is precious little skill. The entire security game is becoming more and more regulated. This is all a sign of things to come, and a reflection on the sad state of an industry that should never have become an industry.”
“To be sure, there are personal and legal issues at play when you’re dealing with fresh zero-day,” said Tod Beardsley, Engineering Manager at Rapid7. “Going by John Cartwrights released statements, those seem to be the primary motivators for halting service. It’s sad to see it go, but just because the Full-Disclosure mailing list has come to an end, it doesn’t mean that “full disclosure” as a philosophy has ended.”
“Of course, things change,” Beardsley said. “Today, while it was possible to follow F-D, it wasn’t usually a very pleasant experience. F-D was still the place to go for the absolute latest unvetted and unmoderated vulnerability info, but today, we have lots and lots of high-quality alternatives.”
“Projects like OSVDB and Exploit-DB also very handily fill the role that F-D pioneered of ensuring that public access to vulnerabilities is still possible,” Beardsley said.