Full-Disclosure was not the only security vulnerabilities discussion list but somehow it has always felt like the one that counted. The announcement by admin John Cartwright that it is closing thanks to the actions of an unnamed security researcher (it has been plagued with legal actions) has understandably been greeted with dismay by researchers.
Its importance was its independence in a field where the other well-known and more moderated list, Bugtraq, fell into the hands of Symantec around the same time it was founded in 2002. So what did it achieve and does it matter that it is disappearing?
There is no argument that Full-Disclosure has had a huge effect on the vulnerabilities field, helping to turn something software firms were allowed not to care about into a major public and software relations priority. Equally,the world has changed since 2002. A growing number of important security flaws no longer make it on to public forums, being traded for cash to middle men and the vendors themselves. With bug bounty schemes now becoming the norm, security flaws have gone from esoteric pursuit to a money-making profession.
"This is a real step backwards for the security community. While the loss of a news source like full disclosure will be replaced, the reason for the shutdown is the real loss for the community. For years security by obscurity was the prevalent approach even among large ISV's. Pressure from forums such as full disclosure helped changed that approach,” agreed AlienVault’s Russ Spitler.
“Today, every large ISV has some form of response program and most bug bounties to encourage responsible disclosure of issues - a success whose credit does in part lie in early players such as full disclosure.
However, Ilia Kolochenko of Swiss security outfit High-Tech Bridge was blunter.
"The end of the Full-Disclosure list is definitely a milestone for the information security industry, a very sad one as years ago Full-Disclosure used to be one of the most reliable and popular sources of infosec/hacking information. But those days are gone and skilled hackers - both Black and White Hats - are no longer motivated to inform the public of their findings and exploits for free. They either work for vulnerability research companies like Vupen, participate in bug-bounties or simply sell 0days on the hacker black market. Obviously Full-Disclosure cannot exist without high-quality content, so I think this is why John Cartwright’s decision to suspend the Full-Disclosure list is entirely reasonable, but still sad.
As to the barriers to its work and evidence of drift:
“Being a regular reader of the list I also regularly see some off-topics, "holy wars", fakes and other garbage that administration has to filter every day. So, I perfectly understand the decision to suspend this list, as managing such a list in a proper way is a titanic daily job, especially nowadays."
Its impressive that motivated campaigners have lasted this long but also a fact that the professionalisation of vulnerabilities and their increasingly private disclosure have changed the dynamic. Enthusiasts are becoming more marginal. What remains extraordinary is that the actions of one individual can bring down something as prominent as Full-Disclosure.
Let's give John Cartwright of Full-Disclosure the last word:
"There is no honour amongst hackers any more. There is no real community. There is precious little skill. The entire security game is becoming more and more regulated. This is all a sign of things to come, and a reflection on the sad state of an industry that should never have become an industry."