Security Watch

Keeping Track of patches and hacks in the IT security world.

Full-Disclosure Mailing List Shuts Down

The popular Full-Disclosure mailing list for security vulnerability disclosure shuts down. What does it say for state of IT security in 2014?

Download the authoritative guide:

From the time I first started writing regularly about IT security in 2003 until today, the Full-Disclosure mailing list has been a must-read resource every day—but that apparently is ending today.

In a posting today, Full-Disclosure creator John Cartwright announced that the list is shutting down. It's a loss that I know I will feel.

Full-Disclosure has always been a fantastic resource for me as a writer looking to see what people were claiming. Over the years, I've found all manner of disclosures about vulnerabilities and tools that have translated into things I've written (after further validation and research at my end).

So why is Full-Disclosure shutting down?

The whole point of the Full-Disclosure mailing list by definition is full disclosure about security vulnerabilities, which can sometimes be a dicey issue. There is a right and a wrong way to do disclosure, and I've long been of the opinion that vendors should always be notified first and given some time to respond. That's just fair. I had long suspected that at some point a vendor would claim it wasn't contacted or given enough time, and that would trigger some form of legal request for Full-Disclosure's shutdown. In his final Full-Disclosure posting, Cartwright wrote that he too had thought the end would likely come from some kind of vendor request.

The end of Full-Disclosure, however, is not coming because of a vendor request. Surprisingly, it's coming because of a security researcher.

"I never imagined that request might come from a researcher within the 'community' itself (and I use that word loosely in modern times)," Cartwright wrote. "But today, having spent a fair amount of time dealing with complaints from a particular individual (who shall remain nameless) I realized that I'm done."

Cartwright also rants about the current state of the IT security world, as well as the lack of community, skill and honor among hackers.

"The entire security game is becoming more and more regulated," Cartwright wrote. "This is all a sign of things to come, and a reflection on the sad state of an industry that should never have become an industry."

While Full-Disclosure is now no more, that doesn't mean it's the end of disclosure on public mailing lists. In fact, Bugtraq, one of the oldest public bug and vulnerability mailing lists, is still active and in operation. Bugtraq got its start in 1993 and was the inspiration for Full-Disclosure's creation in 2002. The Full-Disclosure list was started as a way to create a more open bug mailing list after Bugtraq came under the ownership of, now owned by Symantec.

Full-Disclosure, however, was special because it never had any direct ties to any particular vendor. Whether or not Full-Disclosure re-emerges or is replaced by another mailing list or online resource remains to be seen.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.