Created in July of 2002, the Full Disclosure mailing list has been a popular email discussion and announcement resource for computer security enthusiasts to report and discuss vulnerabilities in software products. And, probably "enthusiast" is not the proper word to use. Membership included vendors, security researchers, and security experts. The expertise and knowledge was so vast, you could almost label many of the faithful subscribers as security scientists. In many cases, the Full Disclosure list content provided early warning about zero-day vulnerabilities even before they were reported to the software vendors.
In March, one of the creators and moderators, John Cartwright, decided to end the 12 year effort by ending the list abruptly. In his final missive, John explained that the termination resulted from having to deal with an evolving lack of value, focus, and numerous complaints. In particular, it was a single individual that was the last straw, and that one individual that strove to undermine the efforts of the community.
Some have argued that email lists are a thing of the past, replaced by things like Twitter, Facebook, and Friendster. But, from experience, I know that's not the case and is just a misguided excuse. The email discussion lists on myITforum have been going strong since 1998 and continue to provide some of the best community content available for the various topics. I'm not sure what the subscriber based topped for the Full Disclosure list during its peak, but several of the myITforum lists top 1500 subscribers.
John's final note will remain as a eulogy to a community that hadn't necessarily run out of gas, but in my opinion, an owner had run out of patience and lost the original passion:
I'm not willing to fight this fight any longer. It's getting harder to operate an open forum in today's legal climate, let alone a security-related one. There is no honour amongst hackers any more. There is no real community. There is precious little skill. The entire security game is becoming more and more regulated. This is all a sign of things to come, and a reflection on the sad state of an industry that should never have become an industry.
So, a timeline in security computing history and community came to a close. But, that's not the end of the story. Realizing the value and retaining a passion for security, Gordon Lyon, developer of the Nmap Security Scanner, author, and owner of Insecure.org, Nmap.org, SecLists.org, and SecTools.org, has decided to assume the mantle as new owner, leader, and moderator of the Full Disclosure community mailing list.
Gordon makes the new lists' mission statement very clear:
The new list must be run by and for the security community in a vendor-neutral fashion. It will be lightly moderated like the old list, and a volunteer moderation team will be chosen from the active users. As before, this will be a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature, light (versus restrictive) moderation, and support for researchers' right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts won't be tolerated!
Due to the quick termination of the old list by its original creator, the subscriber list could not be imported. Instead, those that are interested in joining a rich, security community will need to sign-up fresh. Gordon's task is not an easy one. Migrating a community is a tough prospect in itself, but creating one from scratch and expecting interested patrons to follow is almost impossible. Almost. Believe me, I know. I've done it once in my lifetime. So, I truly respect what Gordon is attempting to accomplish and I hope you'll support his efforts by subscribing to the new list.
The subscription mechanism is located here: Fulldisclosure -- Improving network security through full disclosure