Prominent security mailing list Full Disclosure shuts down indefinitely

The administrator says he had enough after a member of the hacker community tried to pressure him to remove unspecified content

The popular Full-Disclosure mailing list that has served as a public discussion forum for vulnerability researchers for the past 12 years was suspended indefinitely by its maintainer.

In an announcement posted Wednesday on the list, John Cartwright, the list's co-founder and administrator, said that a recent content removal request from a security researcher prompted his decision to suspend the service indefinitely. However, his disappointment with the security research community as a whole also played a role in the decision.

"To date we've had all sorts of requests to delete things, requests not to delete things, and a variety of legal threats both valid or otherwise," Cartwright said, noting that he expected this to happen when he decided to create the list in July 2002. "However, I always assumed that the turning point would be a sweeping request for large-scale deletion of information that some vendor or other had taken exception to."

"I never imagined that request might come from a researcher within the 'community' itself (and I use that word loosely in modern times)," Cartwright said. "But today, having spent a fair amount of time dealing with complaints from a particular individual (who shall remain nameless) I realised that I'm done."

The Full Disclosure mailing list was created specifically to allow vulnerability researchers to share and discuss their findings openly, making transparency an important aspect of its existence. The list's charter says that "any information pertaining to vulnerabilities is acceptable" including the release of exploit techniques and code, and related tools and papers.

Even though vulnerability disclosure policies have become much more uniform in the industry since the list was created, with many researchers now practicing so-called responsible disclosure where the vendors are given time to fix the issues before they're made public, the list continued to receive its share of significant zero-day exploits in recent years.

For example, on June 10, 2010, five days after notifying Microsoft of a vulnerability in the Microsoft Windows Help Center component, Google security researcher Tavis Ormandy released full details about the issue on the list arguing that it's in the best interest of security to release the information rapidly because attackers had likely already studied the affected component.

On Aug. 20, 2011, a hacker known as Kingcope released a zero-day exploit called Apache Killer on the Full Disclosure mailing list that allowed crashing Apache Web servers from a single computer.

In Wednesday's announcement, Cartwright expressed his frustration that one of the community's own members was willing to undermine "the efforts of the last 12 years" referring to this as "the straw that broke the camel's back."

"There is no honour amongst hackers anymore," he said. "There is no real community. There is precious little skill. The entire security game is becoming more and more regulated. This is all a sign of things to come, and a reflection on the sad state of an industry that should never have become an industry."

It's not clear what was the nature of the content that the unnamed researcher tried to get removed from the list. Cartwright did not immediately respond to an inquiry seeking additional information and whether he has any plans to hand over the list to someone else in the future.

Danish vulnerability intelligence firm Secunia, which hosted and sponsored the Full Disclosure mailing list since 2005, did not comment on Cartwright's decision to shut down the list, but a representative said via email that the company has no plans of re-launching it as a Secunia-branded service.

The closure of the Full-Disclosure list is a very sad milestone for the information security industry because the list used to be one of the most reliable sources of security and hacking information, according to Ilia Kolochenko, the CEO of Geneva-based security firm High-Tech Bridge.

"But those days are gone and skilled hackers -- both Black and White Hats -- are no longer motivated to inform the public of their findings and exploits for free," he said via email. "They either work for vulnerability research companies like Vupen, participate in bug-bounties or simply sell 0days on the hacker black market. Obviously Full-Disclosure cannot exist without high-quality content, so I think this is why John Cartwright's decision to suspend the Full-Disclosure list is entirely reasonable, but still sad."

Carsten Eiram, the chief research officer at security intelligence firm Risk Based Security, said he is also sorry that the list is closing down because it's needed as much today as when it was launched.

"It was an unmoderated (later lightly moderated), unbiased, and independent list not controlled by a commercial entity. That is important, and it has always been my preferred list to publish vulnerability findings and similar to," Eiram said via email.

"The importance of the list was also why we decided to sponsor it back in March 2005 while I was at Secunia, when it needed a new sponsor," Eiram said. "Today at RBS [Risk Based Security], we're actually reaching out to John to hear, if we can somehow help keep it going without impacting the integrity or independence of the list."

The list archive is still accessible through the site.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags secuniaExploits / vulnerabilities

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?