Full disclosure (mailing list)
Full disclosure is a "lightly moderated" security mailing list generally used for discussion about information security and disclosure of vulnerabilities. The list was created on July 9, 2002, by Len Rose and also administered by him, who later handed it off to John Cartwright. After Len Rose shut down netsys.com, the list was hosted and sponsored by Secunia.[1]
The Full Disclosure mailing list was originally created because many people felt that the Bugtraq mailing list had "changed for the worse".[2]
In March 2014 Cartwright shutdown the original Full-Disclosure mailing list because an "unnamed" security researcher made requests for large-scale deletion of information and threatened legal action.[3] Cartwright wrote on the list's homepage, "I always assumed that the turning point would be a sweeping request for large-scale deletion of information that some vendor or other had taken exception to. I never imagined that request might come from a researcher within the 'community' itself."[3][4]
On March 25, 2014, the list was "rebooted" by Fyodor.[5] The site is now part of seclists.org and no longer associated with grok.org.uk.
Notable 0-days first disclosed in Full-disclosure
Email subject | Software | Date | Ref. |
---|---|---|---|
Defense in depth -- the Microsoft way (part 14): incomplete, misleading and dangerous documentation | Windows NT | 2013-11-24 | [6] |
Defense in depth -- the Microsoft way (part 11): privilege escalation for dummies | Windows NT | 2013-10-02 | [7] |
The history of a -probably- 13 years old Oracle bug: TNS Poison | Oracle Database | 2012-04-18 | [8] |
Apache Killer | Apache HTTP Server | 2011-08-26 | [9] |
Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly | Help and Support Center | 2010-06-10 | [10] |
Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack | Windows NT | 2010-01-19 | [11] |
References
- "Full-Disclosure Mailing List Charter".
- Cartwright, John (July 7, 2002). "Announcing new security mailing list". Retrieved November 15, 2020.
- Constantin, Lucian (March 19, 2014). "Full Disclosure mailing list shuts down indefinitely". Computerworld. Retrieved November 15, 2020.
- Cartwright, John (February 6, 2019). "Full-Disclosure mailing list". Retrieved November 15, 2020.
- Fyodor (2014-03-26). "Rebooting the Full Disclosure list". Retrieved 2014-03-26.
- "MS14-019 - Fixing a binary hijacking via .cmd or .bat file".
- "Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet".
- "Unpatched Oracle database vulnerability accidentally disclosed".
- "Defending Against The 'Apache Killer' Exploit".
- "Google researcher gives Microsoft 5 days to fix XP zero-day bug".
- "Unpatched Microsoft Windows (all versions) Privilege Escalation Vulnerability Released".