Full Disclosure Mailing List: A Fresh Start
March 25, 2014
Like many of us in the security community, I (Fyodor) was shocked last week by John Cartwright's abrupt termination of the Full Disclosure list which he and Len Rose created way back in July 2002. It was a great 12-year run, with more than 91,500 posts during John's tenure. During that time he fought off numerous trolls, DoS attacks, spammers, and legal threats from angry vendors and researchers alike. John truly deserves our appreciation and thanks for sticking with it so long!
Some have argued that we no longer need a Full Disclosure list, or even that mailing lists as a concept are obsolete. They say researchers should just Tweet out links to advisories that can be hosted on Pastebin or company sites. I disagree. Mailing lists create a much more permanent record and their decentralized nature makes them harder to censor or quietly alter in the future. Jericho from OSVDB and Attrition elaborates further in this great post.
Upon hearing the bad news, I immediately wrote to John offering help. He said he was through with the list, but suggested: “you don't need me. If you want to start a replacement, go for it.” After some soul searching about how much I personally miss the list (despite all its flaws), I've decided to do so! I'm already quite familiar with handling legal threats and removal demands (usually by ignoring them) since I run Seclists.org, which has long been the most popular archive for Full Disclosure and many other great security lists. I already maintain mail servers and Mailman software because I run various other large lists including Nmap Dev and Nmap Announce.
The new list must be run by and for the security community in a vendor-neutral fashion. It will be lightly moderated like the old list, and a volunteer moderation team will be chosen from the active users. As before, this will be a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature, light (versus restrictive) moderation, and support for researchers' right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts won't be tolerated!
This list is taking a fresh start (rather than importing the old Full Disclosure member addresses), so you need to manually subscribe if you wish to be a member. Here is a handy form for doing so:
Thanks for joining, and I will try my best to manage this list as well and hopefully for as long as John's epic tenure! Once you subscribe using the box above or the Mailman page, you should receive a confirmation email. Perform the confirmation steps (web or email) and you should receive a welcome email confirming that you are subscribed.
This is meant to be a community resource, so if you have any suggestions or questions, please post them to the list. You can also email me directly at firstname.lastname@example.org.