Full Disclosure mailing list closure elicits mixed reactions

The Full Disclosure mailing list has long been the perfect place for security researchers to disclose and discuss newly found vulnerabilities. But John Cartwright, one of its creators, has pulled the plug on the list today.

“When Len [Rose] and I created the Full Disclosure list way back in July 2002, we knew that we’d have our fair share of legal troubles along the way. We were right. To date we’ve had all sorts of requests to delete things, requests not to delete things, and a variety of legal threats both valid or otherwise. However, I always assumed that the turning point would be a sweeping request for large-scale deletion of information that some vendor or other had taken exception to,” he wrote on the list.

“I never imagined that request might come from a researcher within the ‘community’ itself (and I use that word loosely in modern times).”

He didn’t name the individual, but added that “it’s getting harder to operate an open forum in today’s legal climate, let alone a security-related one.”

“There is no honour amongst hackers any more. There is no real community. There is precious little skill. The entire security game is becoming more and more regulated. This is all a sign of things to come, and a reflection on the sad state of an industry that should never have become an industry,” he noted, then announced: “I’m suspending service indefinitely. Thanks for playing.”

Below are comments that Help Net Security received from the security community.

Ken Pickering, Director of Engineering at CORE Security

I’ve been following Full Disclosure for years, and if it stays down, it represents the end of an era for many, many people who used it for the quality information it provided. The industry has morphed from independent research by skilled practitioners to big business and legal saber-rattling. I can empathize with his decision, but I’m still pretty sad it came to this.

It’s funny, because looking back, I remember it mainly consisting of viable security disclosures/announcements and occasionally looking deeper into notable ones. But it’s largely the hoaxes and trolls that stand out as the most memorable. Debunking a hoax was where the true technical nature of the community really stood out, and largely killed the hype behind some “rumored 0day’.

Raj Samani, VP, EMEA CTO, McAfee

It’s a shame that the full disclosure list, a forum created for much needed transparency and information sharing across the IT sector, has been suspended.

Although understandable that vendors and authority figures within the industry want to protect their reputations, in order for the industry to grow in strength and stay one step ahead of the bad guys we must continue to promote collaboration.

Sergio Galindo, General Manager, Infrastructure Business Unit at GFI Software

The loss of Full Disclosure is a step backwards for the wider IT security sector. Outlets that publish and provide a repository of vulnerability information are important to the industry at large, even though they can be exploited by malicious code writers. Businesses and security software vendors need a balanced view on threats that are out there – and multiple sources provide redundancy as well as verification of a threat – so that they have a bigger picture of the landscape and how IT systems may be exploited.

Forums and mailing list such as Full Disclosure are critical to the grassroots security sector, and the news that it has closed down definitely leaves a void in the industry. Security professionals now have the unenviable task of finding alternative trusted sources for grassroots threat information as part of their efforts to keep on top of vulnerabilities threatening the systems they use.

Tom Cross, Director of Research for Lancope

For many years, the Full Disclosure Mailing List has served an important role in the ecosystem that identifies and remediates computer security vulnerabilities. Having a forum where vulnerability details are disclosed helps ensure that everyone is aware of that information as soon as it emerges.

The loss of this forum may result in more chaotic disclosures which will make remediating these issues more challenging. Hopefully an alternative forum will emerge.

Chris Eng, Vice President of Research at Veracode

Most people I know unsubscribed from Full Disclosure a long time ago. The signal-to-noise ratio is very low, and these days vulnerability researchers have no need for traditional mailing lists to publish their findings. We have blogs and Twitter, not to mention hundreds of security conferences.

I think many will be nostalgic about the early days of Full Disclosure, but closing the list will have no noticeable impact on the industry or our ability to share information.

Ilia Kolochenko, CEO of High-Tech Bridge

The end of the Full Disclosure list is definitely a milestone for the information security industry – a very sad one as years ago Full Disclosure used to be one of the most reliable and popular sources of infosec/hacking information. But those days are gone and skilled hackers – both Black and White Hats – are no longer motivated to inform the public of their findings and exploits for free. They either work for vulnerability research companies like Vupen, participate in bug-bounties or simply sell 0days on the hacker black market.

Obviously Full Disclosure cannot exist without high-quality content, so I think this is why John Cartwright’s decision to suspend the Full Disclosure list is entirely reasonable, but still sad.

Being a regular reader of the list I also regularly see some off-topics, “holy wars”, fakes and other garbage that administration has to filter every day. So, I perfectly understand the decision to suspend this list, as managing such a list in a proper way is a titanic daily job, especially nowadays.

Jonathan French, Security Analyst at AppRiver

Places that disclose security vulnerabilities are all over the internet. The big difference between many of these sites is the user base. A user base of hackers and nefarious users will likely have a much different public image and draw more scrutiny than one of security professionals. In this case, Full Disclosure has made the decision that the user base is to a point they no longer think is viable and the legal issues are no longer worth the trouble.

It doesn’t sound like it was closed for fear of legal interventions, but rather that he’s just tired of dealing with the attempts of legal intervention. It’s hard to judge the decision to close down as being a right one or not since we don’t know the details. While this is a blow to websites that try to be open and free, I don’t think it will have too much of an impact on the way vulnerabilities are shared.

Taking down a mailing list like that doesn’t magically make problems disappear or make everyone want to keep quiet about finding a vulnerability, instead it will most likely redistribute the information and users among other new or old sites, making it potentially harder for companies to even find out someone has found a vulnerability.

Sam Erdheim, Senior Security Strategist at AlgoSec

With security breaches having a very high cost to organizations (e.g. incident response, data recovery costs, customer notification costs, customer loss, loss of brand equity, legal fees, fines, etc.) there is a lot of sensitivity to information that is made public. We are in an extremely litigious environment and having a loosely moderated forum around security threats, vulnerabilities, etc. is ripe for some vendor, organization or individual to sue the creators of this site.

The sad part is that more information sharing and threat intelligence can help the security community become more proactive or at the very least respond more quickly.

Tim Keanini, CTO at Lancope

Sign of the times. Back in the late 1990’s and early 2000’s, security enthusiast were a lot like Amateur radio enthusiast, the intense passion for their craft was shared at conferences, mailing lists, usenet, IRC, etc. This event reminds me that we are now the minority and in every community, there is always the conflict brought on by a change of opinion or a change in an individual’s agenda.

The full disclosure mailing list will always have a special place in my heart but the reality is that the disclosing and sharing of zero days have changed as TOR and cryptocurrency have emerged and the darknets offer this to anyone who is willing to pay. In short, full disclosure is now a business and a growing business at that.

The role that the full disclosure mailing list played was an important one at the time and it feels like a historical part of the Internet is going away.

Don't miss