March 19, 2014, 2:33 PM — The popular Full-Disclosure mailing list that has served as a public discussion forum for vulnerability researchers for the past 12 years was suspended indefinitely by its maintainer.
In an announcement posted Wednesday on the list, John Cartwright, the list's co-founder and administrator, said that a recent content removal request from a security researcher prompted his decision to suspend the service indefinitely. However, his disappointment with the security research community as a whole also played a role in the decision.
"To date we've had all sorts of requests to delete things, requests not to delete things, and a variety of legal threats both valid or otherwise," Cartwright said, noting that he expected this to happen when he decided to create the list in July 2002. "However, I always assumed that the turning point would be a sweeping request for large-scale deletion of information that some vendor or other had taken exception to."
"I never imagined that request might come from a researcher within the 'community' itself (and I use that word loosely in modern times)," Cartwright said. "But today, having spent a fair amount of time dealing with complaints from a particular individual (who shall remain nameless) I realised that I'm done."
The Full Disclosure mailing list was created specifically to allow vulnerability researchers to share and discuss their findings openly, making transparency an important aspect of its existence. The list's charter says that "any information pertaining to vulnerabilities is acceptable" including the release of exploit techniques and code, and related tools and papers.
Even though vulnerability disclosure policies have become much more uniform in the industry since the list was created, with many researchers now practicing so-called responsible disclosure where the vendors are given time to fix the issues before they're made public, the list continued to receive its share of significant zero-day exploits in recent years.
For example, on June 10, 2010, five days after notifying Microsoft of a vulnerability in the Microsoft Windows Help Center component, Google security researcher Tavis Ormandy released full details about the issue on the list arguing that it's in the best interest of security to release the information rapidly because attackers had likely already studied the affected component.
On Aug. 20, 2011, a hacker known as Kingcope released a zero-day exploit called Apache Killer on the Full Disclosure mailing list that allowed crashing Apache Web servers from a single computer.