R.I.P Full-Disclosure… What’s Next?

Sad news received today, a (last) message was posted in the Full-Disclosure mailing-list. John Cartwright, one of the founder and owner, anounced the end of the list (copy here). Personally, I subscribed in December 2006 (more than seven years ago!). I was  a passive reader but learned so many interesting stuff!

I was surprised to read John’s announce but I can fully understand and respect his decision. Operating a public service in 2002 or today is something completely different. The word “public” is the main issue here. Why? First of all, the mailing-list was open to everybody after a simple registration. It started completely unmoderated but, around 2010, some controls were added. Was it a first smoke signal? Maybe… But, the list archive being replicated on multiple sites, Google & co made their job and indexed all the content. Today, the behavior of most organizations changed and they try to keep an eye on what’s being said about them. It became usual to send a request asking to remove some sensitive content. According to John, the number of such requests kept growing with the time. I could imagine the workload to handle this!

Over the years, more and more people subscribed to the list, “young” people jumped into the security community (no, I don’t consider myself as old ;-)) and the list was also known to be, from time to time often, flooded by flamewars. The last example was a few days ago about the vulnerability reported on Youtube… But that’s normal… a space to express yourself open to anymore, people from different countries, different experiences and generations, all the ingredients were present for clashes!

What is a shame is the lack of strong community in the infosec field. What’s next? A fork of a new Full-Disclosure? In which format? Mailing-list, forum, Google group? Personally I prefer a solution based on emails. It’s easy to read, archive, process. Who will join? If the same people move to the new platform, the same problems will occur again. What about restricting the access and moderation? I’m definitively for people freedom but today you can’t definitively publish everything online. Create an “underground” list whitout community? There are already plenty… It’s maybe time to review the concept but we definitively need a Full-Disclosure mailing list!

Thank you John for your awesome work!