A week after the shutdown of Full Disclosure sent shockwaves through the security industry, we're getting word that it's getting a second chance. Nmap Project hacker Gordon Fyodor Lyon announced Tuesday that he's taking on management of the list.
In a post called "Full Disclosure Mailing List: A Fresh Start," he wrote:
Upon hearing the bad news, I immediately wrote to John offering help. He said he was through with the list, but suggested: "you don't need me. If you want to start a replacement, go for it." After some soul searching about how much I personally miss the list (despite all its flaws), I've decided to do so!
He said the new list will be lightly moderated like the old list, and a volunteer moderation team will be chosen from the active users.
As before, he added, this will be a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature, light (versus restrictive) moderation, and support for researchers' right to decide how to disclose their own discovered bugs.
Last week, I wrote that times have changed. Through blogs, Twitter and other online sources, researchers have plenty of ways to get the word out when they find vulnerabilities.
That being the case, I argued, Full Disclosure became less important over time. As a journalist working on stories, I visited the list with diminished frequency over time.
Gordon disagrees with that line of thinking:
Some have argued that we no longer need a Full Disclosure list, or even that mailing lists as a concept are obsolete. They say researchers should just Tweet out links to advisories that can be hosted on Pastebin or company sites. I disagree. Mailing lists create a much more permanent record and their decentralized nature makes them harder to censor or quietly alter in the future. Jericho from OSVDB and Attrition elaborates further in this great post.
I've followed Gordon's work for years and respect him a lot. If anyone can make this work, he can.