Feeds

RIP Full Disclosure: Security world reacts to key mailing list's death

'I realised that I'm done' sighs co-admin of vulnerability clearing house

Beginner's guide to SSL certificates

Welcome to the world of no disclosure – more reactions

"Vendors in the earlier stages of The 5 Stages of Vuln Response Grief won't get why the loss of Full Disclosure is a loss to us all," Katie Moussouris, security strategist and self-described mother of the Microsoft Bounty Program said on Twitter, referring to her RSA 2013 talk on how companies deal with security bug reports (see video below).

"Full Disclosure mailing list shutdown makes me sad. I remember starting Symantec Vuln Research and posting our advisories there and BugTraq."

Other security researchers reckon the shutdown will only have a minimal impact on the way vulnerabilities are shared.

Jon French, security analyst at AppRiver, said: "Places that disclose security vulnerabilities are all over the internet. The big difference between many of these sites is the user base. A user base of hackers and nefarious users will likely have a much different public image and draw more scrutiny than one of security professionals.

"In this case, Full Disclosure has made the decision that the user base is to a point they no longer think is viable and the legal issues are no longer worth the trouble."

"It doesn’t sound like it was closed for fear of legal interventions, but rather that he’s just tired of dealing with the attempts of legal intervention. It’s hard to judge the decision to close down as being a right one or not since we don’t know the details. While this is a blow to websites that try to be open and free, I don’t think it will have too much of an impact on the way vulnerabilities are shared," French added.

Tom Cross, director of security research for Lancope, commented: "Having a forum where vulnerability details are disclosed helps ensure that everyone is aware of that information as soon as it emerges. The loss of this forum may result in more chaotic disclosures which will make remediating these issues more challenging. Hopefully an alternative forum will emerge."

Some are already beginning to think of ways to fill the gap left by Full Disclosure.

Chris Wysopal, co-founder and chief technology officer at code review firm Veracode, said: "Full disclosure can easily still be done with a tweet with ‪#fulldisclosure‬ and a link to Pastebin or other text hosting site."

More reflection on they sad demise of Full Disclosure can be found in a blog post by security blogger Javvad Malik here. ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
prev story

Whitepapers

Go beyond APM with real-time IT operations analytics
How IT operations teams can harness the wealth of wire data already flowing through their environment for real-time operational intelligence.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.