Prominent security mailing list Full Disclosure shuts down indefinitely

The administrator says he had enough after a member of the hacker community tried to pressure him to remove unspecified content

The popular Full-Disclosure mailing list that has served as a public discussion forum for vulnerability researchers for the past 12 years was suspended indefinitely by its maintainer.

In an announcement posted Wednesday on the list, John Cartwright, the list's co-founder and administrator, said that a recent content removal request from a security researcher prompted his decision to suspend the service indefinitely. However, his disappointment with the security research community as a whole also played a role in the decision.

"To date we've had all sorts of requests to delete things, requests not to delete things, and a variety of legal threats both valid or otherwise," Cartwright said, noting that he expected this to happen when he decided to create the list in July 2002. "However, I always assumed that the turning point would be a sweeping request for large-scale deletion of information that some vendor or other had taken exception to."

"I never imagined that request might come from a researcher within the 'community' itself (and I use that word loosely in modern times)," Cartwright said. "But today, having spent a fair amount of time dealing with complaints from a particular individual (who shall remain nameless) I realised that I'm done."

The Full Disclosure mailing list was created specifically to allow vulnerability researchers to share and discuss their findings openly, making transparency an important aspect of its existence. The list's charter says that "any information pertaining to vulnerabilities is acceptable" including the release of exploit techniques and code, and related tools and papers.

Even though vulnerability disclosure policies have become much more uniform in the industry since the list was created, with many researchers now practicing so-called responsible disclosure where the vendors are given time to fix the issues before they're made public, the list continued to receive its share of significant zero-day exploits in recent years.

For example, on June 10, 2010, five days after notifying Microsoft of a vulnerability in the Microsoft Windows Help Center component, Google security researcher Tavis Ormandy released full details about the issue on the list arguing that it's in the best interest of security to release the information rapidly because attackers had likely already studied the affected component.

On Aug. 20, 2011, a hacker known as Kingcope released a zero-day exploit called Apache Killer on the Full Disclosure mailing list that allowed crashing Apache Web servers from a single computer.

In Wednesday's announcement, Cartwright expressed his frustration that one of the community's own members was willing to undermine "the efforts of the last 12 years" referring to this as "the straw that broke the camel's back."

"There is no honour amongst hackers anymore," he said. "There is no real community. There is precious little skill. The entire security game is becoming more and more regulated. This is all a sign of things to come, and a reflection on the sad state of an industry that should never have become an industry."

It's not clear what was the nature of the content that the unnamed researcher tried to get removed from the list. Cartwright did not immediately respond to an inquiry seeking additional information and whether he has any plans to hand over the list to someone else in the future.

Danish vulnerability intelligence firm Secunia, which hosted and sponsored the Full Disclosure mailing list since 2005, did not comment on Cartwright's decision to shut down the list, but a representative said via email that the company has no plans of re-launching it as a Secunia-branded service.

The closure of the Full-Disclosure list is a very sad milestone for the information security industry because the list used to be one of the most reliable sources of security and hacking information, according to Ilia Kolochenko, the CEO of Geneva-based security firm High-Tech Bridge.

"But those days are gone and skilled hackers -- both Black and White Hats -- are no longer motivated to inform the public of their findings and exploits for free," he said via email. "They either work for vulnerability research companies like Vupen, participate in bug-bounties or simply sell 0days on the hacker black market. Obviously Full-Disclosure cannot exist without high-quality content, so I think this is why John Cartwright's decision to suspend the Full-Disclosure list is entirely reasonable, but still sad."

Carsten Eiram, the chief research officer at security intelligence firm Risk Based Security, said he is also sorry that the list is closing down because it's needed as much today as when it was launched.

"It was an unmoderated (later lightly moderated), unbiased, and independent list not controlled by a commercial entity. That is important, and it has always been my preferred list to publish vulnerability findings and similar to," Eiram said via email.

"The importance of the list was also why we decided to sponsor it back in March 2005 while I was at Secunia, when it needed a new sponsor," Eiram said. "Today at RBS [Risk Based Security], we're actually reaching out to John to hear, if we can somehow help keep it going without impacting the integrity or independence of the list."

The list archive is still accessible through the seclists.org site.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags secuniasecurityExploits / vulnerabilities

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?