Akamai Diversity

The Akamai Blog

Full Disclosure Shutdown: A Journalist's Perspective

There's a lot of valuable perspective out there regarding the shutdown of Full Disclosure, a mailing list where researchers posted details of exploits and software security holes. I'll share that perspective below. But first, here are my thoughts as an ex-journalist who often relied on it for news.

As a reporter, Full Disclosure was gold. A decade ago, security vendors often sat on their vulnerabilities and offered precious little information people could use to protect their systems. Long before Microsoft started paying researchers for reporting bugs, the software giant would bristle every time someone disclosed a security hole in its products.

Full Disclosure is where I found the answers vendors wouldn't offer. As a writer who was still learning the ropes of information security, I was beyond grateful for that.

But times have changed. Through blogs, Twitter and other online sources, researchers have plenty of ways to get the word out when they find something. That being the case, Full Disclosure became less important over time. When working on stories, I visited the list with diminished frequency over time.

Chris Eng, Vice President of Research at Veracode, summed it up well in some commentary he shared with Help Net Security:

Most people I know unsubscribed from Full Disclosure a long time ago. The signal-to-noise ratio is very low, and these days vulnerability researchers have no need for traditional mailing lists to publish their findings. We have blogs and Twitter, not to mention hundreds of security conferences. I think many will be nostalgic about the early days of Full Disclosure, but closing the list will have no noticeable impact on the industry or our ability to share information.

But that will never diminish Full Disclosure's importance in the history of information security. 

Now that I've said my bit, here's some more perspective from around the Web:

Salted Hash blogger Steve Ragan wrote: "After nearly twelve years of operation, the Full Disclosure mailing list is closing due to mounting drama and pressure." 

Akamai Security Advocate Dave Lewis wrote: The news marks a "sad day for the security community."

Attrition.org's Brian Martin (jericho) wrote: "In my eyes, and the eyes of others that truly appreciate what Full-Disclosure has done, the loss of that list is devastating in the short term. Not only will it introduce a small amount of bias in vulnerability aggregation, it will take time to recover. Even if someone else picks up the torch under the same name, or starts a new list to replace it, it will take time for people to transition to the new list."