One week ago, March 19th, John Cartwright announced the death of the Full Disclosure mailing list. For many people this signified the end of an era, and in some ways I felt the same. I can still remember signing up for it the first time and spending a large chunk of the morning in college and later at my first job, reading every post looking for interesting articles and vulnerabilities.
While the archives would live on, everyone assumed that FD was forever gone. That was a week ago.
Today, Full Disclosure is alive again, the advisories are flowing, the banter is cheerful, and the trolling has already started. Fyodor, the creator of nmap, seclists.org, and the amazing Favicon Poster (a kickstarter project that I missed while traveling that made me realize that the second meaning of ‘kickstarter’ – ‘to start one kicking themselves’), has decided to relaunch FD via seclists.org.
I had the opportunity to hear from Fyodor last night that he was announcing this list and asked him why he felt it was important to recreate FD, his response was, “It’s important for the community to have an open, vendor-neutral forum for discussing security vulnerabilities and research. Mailing lists may seem like old technology in these days of advanced web forums and social networks, but the distributed nature of mailing lists makes them harder to censor or quietly modify things after the fact.”
At Tripwire, we prefer to see responsible disclosure with adequate timelines and many posts to FD follow that structure but full disclosure does happen and that makes lists like FD a necessary evil. During the week-long absence of FD, advisories were posted to blogs, tweeted, and mailed to various other places. The information was still public but it was decentralized.
This makes it harder to defend against the information that is released and that’s the ultimate, albeit slightly misguided, goal of FD, to provide everyone the information as quickly as possible so people can protect themselves. This rebirth of FD allows people to do that more easily this week than they could last week.
If you’re interested in following or contributing to the new Full Disclosure mailing list, you can sign up here.
- Your Biggest Threats are Coming from Inside
- CyberLens: The New Tool Suite for Critical Infrastructure Security
- System Hardening: Defend Like an Attacker
- Adapting Vulnerability Management to Address Advanced Persistent Threats
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock