Prominent security mailing list Full Disclosure shuts down indefinitely

The administrator says he had enough after a member of the hacker community tried to pressure him to remove unspecified content

The popular Full-Disclosure mailing list that has served as a public discussion forum for vulnerability researchers for the past 12 years was suspended indefinitely by its maintainer.

In an announcement posted Wednesday on the list, John Cartwright, the list's co-founder and administrator, said that a recent content removal request from a security researcher prompted his decision to suspend the service indefinitely. However, his disappointment with the security research community as a whole also played a role in the decision.

"To date we've had all sorts of requests to delete things, requests not to delete things, and a variety of legal threats both valid or otherwise," Cartwright said, noting that he expected this to happen when he decided to create the list in July 2002. "However, I always assumed that the turning point would be a sweeping request for large-scale deletion of information that some vendor or other had taken exception to."

"I never imagined that request might come from a researcher within the 'community' itself (and I use that word loosely in modern times)," Cartwright said. "But today, having spent a fair amount of time dealing with complaints from a particular individual (who shall remain nameless) I realised that I'm done."

The Full Disclosure mailing list was created specifically to allow vulnerability researchers to share and discuss their findings openly, making transparency an important aspect of its existence. The list's charter says that "any information pertaining to vulnerabilities is acceptable" including the release of exploit techniques and code, and related tools and papers.

Even though vulnerability disclosure policies have become much more uniform in the industry since the list was created, with many researchers now practicing so-called responsible disclosure where the vendors are given time to fix the issues before they're made public, the list continued to receive its share of significant zero-day exploits in recent years.

For example, on June 10, 2010, five days after notifying Microsoft of a vulnerability in the Microsoft Windows Help Center component, Google security researcher Tavis Ormandy released full details about the issue on the list arguing that it's in the best interest of security to release the information rapidly because attackers had likely already studied the affected component.

On Aug. 20, 2011, a hacker known as Kingcope released a zero-day exploit called Apache Killer on the Full Disclosure mailing list that allowed crashing Apache Web servers from a single computer.

In Wednesday's announcement, Cartwright expressed his frustration that one of the community's own members was willing to undermine "the efforts of the last 12 years" referring to this as "the straw that broke the camel's back."

"There is no honour amongst hackers anymore," he said. "There is no real community. There is precious little skill. The entire security game is becoming more and more regulated. This is all a sign of things to come, and a reflection on the sad state of an industry that should never have become an industry."

It's not clear what was the nature of the content that the unnamed researcher tried to get removed from the list. Cartwright did not immediately respond to an inquiry seeking additional information and whether he has any plans to hand over the list to someone else in the future.

Danish vulnerability intelligence firm Secunia, which hosted and sponsored the Full Disclosure mailing list since 2005, did not comment on Cartwright's decision to shut down the list, but a representative said via email that the company has no plans of re-launching it as a Secunia-branded service.

The closure of the Full-Disclosure list is a very sad milestone for the information security industry because the list used to be one of the most reliable sources of security and hacking information, according to Ilia Kolochenko, the CEO of Geneva-based security firm High-Tech Bridge.

"But those days are gone and skilled hackers -- both Black and White Hats -- are no longer motivated to inform the public of their findings and exploits for free," he said via email. "They either work for vulnerability research companies like Vupen, participate in bug-bounties or simply sell 0days on the hacker black market. Obviously Full-Disclosure cannot exist without high-quality content, so I think this is why John Cartwright's decision to suspend the Full-Disclosure list is entirely reasonable, but still sad."

Carsten Eiram, the chief research officer at security intelligence firm Risk Based Security, said he is also sorry that the list is closing down because it's needed as much today as when it was launched.

"It was an unmoderated (later lightly moderated), unbiased, and independent list not controlled by a commercial entity. That is important, and it has always been my preferred list to publish vulnerability findings and similar to," Eiram said via email.

"The importance of the list was also why we decided to sponsor it back in March 2005 while I was at Secunia, when it needed a new sponsor," Eiram said. "Today at RBS [Risk Based Security], we're actually reaching out to John to hear, if we can somehow help keep it going without impacting the integrity or independence of the list."

The list archive is still accessible through the site.

Join the CSO newsletter!

Error: Please check your email address.

Tags secuniasecurityExploits / vulnerabilities

More about ApacheGenevaGoogleKillerMicrosoftSecunia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place