The popular Full-Disclosure mailing list that has served as a public discussion forum for vulnerability researchers for the past 12 years was suspended indefinitely by its maintainer.
In an announcement posted Wednesday on the list, John Cartwright, the list’s co-founder and administrator, said that a recent content removal request from a security researcher prompted his decision to suspend the service indefinitely. However, his disappointment with the security research community as a whole also played a role in the decision.
“To date we’ve had all sorts of requests to delete things, requests not to delete things, and a variety of legal threats both valid or otherwise,” Cartwright said, noting that he expected this to happen when he decided to create the list in July 2002. “However, I always assumed that the turning point would be a sweeping request for large-scale deletion of information that some vendor or other had taken exception to.”
“I never imagined that request might come from a researcher within the ‘community’ itself (and I use that word loosely in modern times),” Cartwright said. “But today, having spent a fair amount of time dealing with complaints from a particular individual (who shall remain nameless) I realised that I’m done.”
The Full Disclosure mailing list was created specifically to allow vulnerability researchers to share and discuss their findings openly, making transparency an important aspect of its existence. The list’s charter says that “any information pertaining to vulnerabilities is acceptable” including the release of exploit techniques and code, and related tools and papers.
A home for zero-day disclosures
Even though vulnerability disclosure policies have become much more uniform in the industry since the list was created, with many researchers now practicing so-called responsible disclosure where the vendors are given time to fix the issues before they’re made public, the list continued to receive its share of significant zero-day exploits in recent years.
For example, on June 10, 2010, five days after notifying Microsoft of a vulnerability in the Microsoft Windows Help Center component, Google security researcher Tavis Ormandy released full details about the issue on the list arguing that it’s in the best interest of security to release the information rapidly because attackers had likely already studied the affected component.
On Aug. 20, 2011, a hacker known as Kingcope released a zero-day exploit called Apache Killer on the Full Disclosure mailing list that allowed crashing Apache Web servers from a single computer.
In Wednesday’s announcement, Cartwright expressed his frustration that one of the community’s own members was willing to undermine “the efforts of the last 12 years” referring to this as “the straw that broke the camel’s back.”
"No honour among hackers"
“There is no honour amongst hackers anymore,” he said. “There is no real community. There is precious little skill. The entire security game is becoming more and more regulated. This is all a sign of things to come, and a reflection on the sad state of an industry that should never have become an industry.”
It’s not clear what was the nature of the content that the unnamed researcher tried to get removed from the list. Cartwright did not immediately respond to an inquiry seeking additional information and whether he has any plans to hand over the list to someone else in the future.
Danish vulnerability intelligence firm Secunia, which hosted and sponsored the Full Disclosure mailing list since 2005, did not comment on Cartwright’s decision to shut down the list, but a representative said via email that the company has no plans of re-launching it as a Secunia-branded service.
The closure of the Full-Disclosure list is a very sad milestone for the information security industry because the list used to be one of the most reliable sources of security and hacking information, according to Ilia Kolochenko, the CEO of Geneva-based security firm High-Tech Bridge.
Why disclose when you can sell?
“But those days are gone and skilled hackers—both Black and White Hats—are no longer motivated to inform the public of their findings and exploits for free,” he said via email. “They either work for vulnerability research companies like Vupen, participate in bug-bounties or simply sell 0days on the hacker black market. Obviously Full-Disclosure cannot exist without high-quality content, so I think this is why John Cartwright’s decision to suspend the Full-Disclosure list is entirely reasonable, but still sad.”
Carsten Eiram, the chief research officer at security intelligence firm Risk Based Security, said he is also sorry that the list is closing down because it’s needed as much today as when it was launched.
“It was an unmoderated (later lightly moderated), unbiased, and independent list not controlled by a commercial entity. That is important, and it has always been my preferred list to publish vulnerability findings and similar to,” Eiram said via email.
“The importance of the list was also why we decided to sponsor it back in March 2005 while I was at Secunia, when it needed a new sponsor,” Eiram said. “Today at RBS [Risk Based Security], we’re actually reaching out to John to hear, if we can somehow help keep it going without impacting the integrity or independence of the list.”
The list archive is still accessible through the seclists.org site.