http://blog.osvdb.org/2014/03/19/missing-perspective-on-the-closure-of-the-full-disclosure-mail-list/
By jerichoattrition
OSVDB
March 19, 2014
This morning I woke to the news that the Full-Disclosure mail list was
closing its doors. Assuming this is not a hoax (dangerously close to April
1st) and not spoofed mail that somehow got through, there seems to be
perspective missing on the importance of this event. Via Facebook posts
and Twitter I see casual disappointment, insults that the list was low
signal to noise, and that many had stopped reading it a while back. I
don’t begrudge the last comment one bit. The list has certainly had its
share of noise, but that is the price we pay as a community and industry
for having a better source for vulnerability disclosure. Speaking to the
point of mail lists specifically, there were three lists that facilitated
this: Bugtraq, Full-Disclosure, and Open Source Security (OSS). Bugtraq
has been around the longest and is the only alternative to Full-Disclosure
really (remember that VulnWatch didn’t last, and was ultimately low
traffic). OSS is a list that caters to open source software and does not
traffic in commercial software. A majority of the posts come from open
source vendors (e.g. Linux distributions), the software’s maintainer, etc.
It is used as much for disclosure as coordination between vendors and
getting a CVE assigned.
One of the first things that should be said is a sincere “thank you” to
John Cartwright for running the list so long. For those of you who have
not moderated a list, especially a high-traffic list, it is no picnic. The
amount of spam alone makes list moderation a pain in the ass. Add to that
the fake exploits, discussions that devolve into insults, and topics that
are on the fringe of the list’s purpose. Trying to sort out which should
be allowed becomes more difficult than you would think. More importantly,
he has done it in a timely manner for so long. Read the bold part again,
because that is absolutely critical here. When vulnerability information
goes out, it is important that it goes out to everyone equally. Many mails
sent to Bugtraq and Full-Disclosure are also sent to other parties at the
same time. For example, every day we get up to a dozen mails to the OSVDB
Moderators with new vulnerability information, and those lists and other
sources (e.g. Exploit-DB, OffSec, 1337day). If you use one or a few of
those places as your primary source for vulnerability intelligence, you
want that information as fast as anyone else. A mail sent on Friday
afternoon may hit just one of them, before appearing two days later on the
rest. This is due to the sites being run with varying frequency, work
schedules, and dedication. Cartwright’s quick moderation made sure those
mails went out quickly, often at all hours of the day and over weekends.
While many vulnerability disclosers will send to multiple sources, you
cannot assume that every disclosure will hit every source. Some of these
sites specialize in a type of vulnerability (e.g. web-based), while some
accept most but ignore a subset (e.g. some of the more academic
disclosures). Further, not every discloser sends to all these sources.
Many will send to a single mail list (e.g. Bugtraq or FD), or to both of
them. This is where the problem arises. For many of the people still
posting to the two big disclosure lists, they are losing out on the list
that was basically guaranteed to post their work. Make no mistake, that
isn’t the case for both lists.
[...]
--
Find the best IT Security talent without breaking your recruiting budget.
Jobs cross-posted to Simply Hired, Facebook and LinkedIn.
Hot InfoSec Jobs - http://www.hotinfosecjobs.com/
