The Latest in IT Security

Full Disclosure List Gets a Fresh Start – Reborn Under New Operator


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an unnamed security researcher and ongoing legal threats, The Full Disclosure mailing list is coming back, albeit from scratch.

Full Disclosure, which has been around since 2002, served as an open, public forum the discussion of vulnerabilities and exploitation techniques, along with other items of interest to the security community.

In a message posted to the list on March 19, John Cartwright, one of Full Disclosure’s creators, stated that the decision to shutter the service was made due to a conflict with someone in the security community who requested a large portion of the list’s archive be erased.

“I’m not willing to fight this fight any longer,” Cartwright wrote. “It’s getting harder to operate an open forum in today’s legal climate, let alone a security-related one.”

Gordon Lyon (aka Fyodor), who operates several Internet security resources and other mailing lists, said that upon hearing of the closing, he immediately reached out to Cartwright to offer assistance.

While Cartwright insisted that he was done with the list, he encouraged Lyon to move forward and create a replacement.

“You don’t need me. If you want to start a replacement, go for it,” Cartwright wrote in an email to Lyon.

“After some soul searching about how much I personally miss the list (despite all its flaws), I’ve decided to do so!” Lyon said in his announcment of the new list. “I’m already quite familiar with handling legal threats and removal demands (usually by ignoring them) since I run, which has long been the most popular archive for Full Disclosure and many other great security lists.”

While the list may take some time to build back an established subscriber and contributor base, Lyon’s effort is likely to be supported by security researchers and practitioners—though some vendors are not likely to be as supportive if history tells us anything.

Lyon already maintains other mailing lists including Nmap Dev and Nmap Announce, and says he will try his best to manage the list as well as Cartwright had.

“The new list must be run by and for the security community in a vendor-neutral fashion,” Lyon wrote. “It will be lightly moderated like the old list, and a volunteer moderation team will be chosen from the active users.”

“Vendor legal intimidation and censorship attempts won’t be tolerated,” he said.

Because the list is getting a fresh start and no previous subscriber information appears to be headed to Lyon, interested users will have to manually subscribe which can be done here.

“To be sure, there are personal and legal issues at play when you’re dealing with fresh zero-day,”said Tod Beardsley, Engineering Manager at Rapid7 in response to the FD list shutting down. “Going by John Cartwrights released statements, those seem to be the primary motivators for halting service. It’s sad to see it go, but just because the Full-Disclosure mailing list has come to an end, it doesn’t mean that “full disclosure” as a philosophy has ended.”

“Of course, things change,” Beardsley continued. “Today, while it was possible to follow F-D, it wasn’t usually a very pleasant experience. F-D was still the place to go for the absolute latest unvetted and unmoderated vulnerability info, but today, we have lots and lots of high-quality alternatives.”

Lyon, however, argues that there is still significant value in maintaining such a list.

“Some have argued that we no longer need a Full Disclosure list, or even that mailing lists as a concept are obsolete,” he opined. “They say researchers should just Tweet out links to advisories that can be hosted on Pastebin or company sites. I disagree. Mailing lists create a much more permanent record and their decentralized nature makes them harder to censor or quietly alter in the future.”


Managing Editor, SecurityWeek.Previous Columns by Mike Lennon:Full Disclosure List Gets a Fresh Start – Reborn Under New OperatorZettaset to Enable Data-in-Motion Encryption for HadoopToshibas Self-Encrypting Hard Drives Get FIPS 140-2 StampNew Microsoft Word Zero-Day Used in Targeted AttacksCyber Security Research Alliance Announces First RD Projects with Academic Partners

sponsored links



Comments are closed.


MONDAY, APRIL 19, 2021

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments