John Cartwright, administrator of the famous Full-Disclosure security e-mail list, posted a bitter and pessimistic announcement today that he is suspending the list indefinitely.
Cartwright attributed the decision to pressure being put on him by an unnamed security researcher — 'one of our own' — to remove large amounts of content from the list archives. This was too much for Cartwright.
When Full-Disclosure launched in 2002, its mission — to allow anonymous reports of security problems, not necessarily with prior disclosure to the vendor — was more controversial than it is now. Vendors may prefer when researchers work with them confidentially before public disclosure, but they don't publicly complain about "irresponsible" disclosure the way they used to.
After the announcement and some nonsense typical of Full-Disclosure, the first posting of substance was "IIS double UTF decoding bug (old) exploit: IIS explorer". It was an old vulnerability, but the posting included a script kiddie-friendly PHP exploit.
The signal-to-noise ratio on Full-Disclosure has been on the low side at times over the 12 years of the list. This distinguished it from moderated lists, such as Bugtraq. But once Full-Disclosure showed up, things tended to happen there first.
But things change rapidly in this business, and Full-Disclosure is no longer where the action is. When security news breaks now, it breaks somewhere on Twitter first, and spreads there first.
As Tod Beardsley, Engineering Manager at Rapid7 puts it, "...today, we have lots and lots of high-quality alternatives [to Full-Disclosure]. Heck, just have a Twitter or Google News keyword of "Metasploit"and you'll get some pretty decent intel on what the world is looking at. Projects like OSVDB and Exploit-DB also very handily fill the role that F-D pioneered of ensuring that public access to vulnerabilities is still possible." [Note: Metasploit, a tool for building and executing exploit code, is a product of Rapid7.]