Full Disclosure Mailing List Shuts Down

John Cartwright, the operator of Full Disclosure, announced yesterday that he has shut down the mailing list
John Cartwright, the operator of Full Disclosure, announced yesterday that he has shut down the mailing list

Cartwright suggests that he had always suspected Full Disclosure could not continue indefinitely, and that the end would come from "a sweeping request for large-scale deletion of information" instigated by a vendor. "I never imagined that request might come from a researcher within the 'community' itself," he wrote. His bitterness is palpable. "Taking a virtual hatchet to the list archives on the whim of an individual just doesn't feel right. That 'one of our own' would undermine the efforts of the last 12 years is really the straw that broke the camel's back."

He quits. "I'm not willing to fight this fight any longer...The entire security game is becoming more and more regulated. This is all a sign of things to come, and a reflection on the sad state of an industry that should never have become an industry."

It is, however, an act that will please and sadden security professionals in equal measure. Security expert Graham Cluley has always had some reservations on the concept of full disclosure, preferring where possible the 'responsible disclosure' route of always first disclosing vulnerabilities to the vendor rather than the public. "My personal feeling is that full disclosure of vulnerabilities which can be used by hackers and malware authors is often irresponsible, as it doesn't help the average computer user but puts the information in the hands of people who might have criminal intentions," he told Infosecurity by email.

He believes that security researchers should inform the vendor and work with that vendor to get the vulnerability fixed. That doesn't always work, of course; but he still prefers an alternative route to full disclosure. "Of course, if a vendor doesn't play ball or takes too long to resolve an issue, vulnerability researchers should – IMHO – go to the press and demonstrate the flaw to them (to apply pressure to the vendor) rather than make the intimate details of how to exploit a weakness public."

Tellingly, he adds, "But it's a religious debate, frankly, with strongly held opinions on both sides."

It could be expected that an opposing view might come from the Metasploit project. Metasploit takes vulnerabilities and turns them into publicly available exploits; again, sometimes before the vendor has a patch available. These exploits can be used by security professionals to test their own security defenses – but they can equally be used by bad people for bad purposes. 

Tod Beardsley, engineering manager for Metasploit at Rapid7, told Infosecurity by email that Full Disclosure was founded in 2002, "when it was still a little novel to just dump 0day out in public. There was very little in the way of both legitimate [and] open source research – Metasploit was still a year in the future."

But he adds that the mailing list is – or was – no longer the only source. There are now "lots and lots of high-quality alternatives. Heck, just have a Twitter or Google News keyword of 'Metasploit' and you'll get some pretty decent intel on what the world is looking at; projects like OSVDB and Exploit-DB also very handily fill the role that F-D pioneered of ensuring that public access to vulnerabilities is still possible."

Beardsley's view is that while it is sad to see the ending of a pioneering service, nobody should think this is the end of the full disclosure philosophy. "While it's sad to see it go, just because the Full-Disclosure mailing list has come to an end, it doesn't mean that 'full disclosure' as a philosophy has ended."

What’s Hot on Infosecurity Magazine?