Full Disclosure back in full

On March 19, many computer security buffs were surprised by the sudden shutdown of the venerable Full Disclosure (FD) mailing list after more than a decade of existence. Although the original list maintainers remain out of the picture, a successor Full Disclosure list was launched one week later. How much, if anything, will change remains to be seen, but the new list is dedicated to filling the same role for the community. Although, since it was allegedly interaction with certain elements of the community that eventually led to the original list shutdown, resurrecting FD will no doubt involve its own battles as well.

Interestingly enough, FD itself was first created in response to another security vulnerability list, Bugtraq. FD was founded in July 2002 by John Cartwright and Len Rose, who called for an alternative to Bugtraq, which they felt was no longer "dedicated to the immediate and full dissemination of security issues", as was its initial mission.

As Brian "Jericho" Martin from OSVDB explained in his analysis of FD's abrupt shutdown, when the administration of Bugtraq was taken over by Symantec, some members of the security community began to feel Symantec was interfering in list operations. Specifically, Thomas Kristensen of Secunia publicly accused Symantec of delaying the publication of exploits that affected Symantec products. Symantec and its customers, the accusation said, seemed to be hearing about vulnerabilities posted to the list quickly, but the actual list emails were being held up (allegedly for moderation or due to delays caused by high mail volume) for days or even weeks.

Symantec denied the accusations, but there was enough interest in an "independent" security disclosure list that FD rapidly became one of the most popular security mailing lists. It gained a reputation as a list that honored open and transparent publication of security vulnerabilities for software of all stripes. Naturally, such a mission includes its share of headaches, which Cartwright seemed for the most part content to live with over the years. Consequently, his March 19 announcement that he was "suspending service indefinitely" took many people by surprise. In the announcement email, he did not go into detail about what prompted the shutdown, but said:

The unnamed individual, he said, wanted to take a "virtual hatchet to the list archives", apparently by requesting the removal of a large number of messages, and Cartwright, feeling that such an action would "undermine the efforts of the last 12 years", said that the request was the last straw. He would rather shut the list down, he said, than continue dealing with the complaints.

Perhaps unsurprisingly, quite a bit of speculation arose over who the unnamed party at the heart of the controversy was. Jericho opined that one of the most likely causes for the shutdown might be recent behavior by Nicholas Lemonias, who had recently been engaged in a lengthy and noticeably heated FD list thread. That thread was about an issue Lemonias regarded as a vulnerability in YouTube, a point on which few other list members seemed to agree. Jericho claimed that he had been forwarded a copy of a complaint that Lemonias had sent to the ISP of an FD archive site, a complaint asking for the removal of several list messages. Subsequently, he said, Lemonias sent him "threats and irrational demands" asking for the removal of his blog post.

Naturally, those on the outside of the private conversations involved will never know for certain what transpired. Regardless, with the shutdown of FD there was a fair amount of unhappiness in some corners of the security community, which lamented the lack of an unmoderated list where vulnerabilities could be quickly and openly reported in concordance with the principle of full disclosure.

Not everyone felt that a mailing list was still a vital component to the philosophy of publicly disclosing vulnerabilities, of course. On March 19, for example, Chris Wysopal said on Twitter that publicizing vulnerabilities on Twitter or other social networking platforms was a sufficient alternative. But the counter-argument is that web-based social networking services are (usually) centralized, and similarly that posting code snippets and examples to web services like Pastebin is unreliable since there is a single point of failure and content can be easily removed. Mailing lists can be archived and published in several places, thus adding valuable resiliency.

One of those who believed strongly in the list-based approach was Gordon "Fyodor" Lyon of the Nmap project. On March 25, he announced that he was starting a new Full Disclosure list, to be hosted at seclists.org, as a "spiritual successor" to the original. Seclists.org was already serving as an FD list archive, which provides a measure of continuity, and Fyodor got Cartwright's blessing before pursuing the relaunch. Nevertheless, Fyodor chose not to try and import the old list's subscribers—interested parties need to manually subscribe to the new FD, and a volunteer moderation team will be selected from the subscriber community.

In the relaunch announcement, Fyodor highlighted the need to have a vendor-neutral mailing list for disclosing and discussing vulnerabilities. Furthermore, he told the security blog Threatpost that mailing lists offered better resistance to censorship and tampering, since messages are "immediately remailed to more than 7,000 members who then all have their own copy which can’t be quietly retracted or edited". Whether or not the new incarnation of FD will grow into a resource as valued as the old will be seen with time, but so far, list activity suggests quite a few community members already regard it as useful.