Missing Perspective on the Closure of the Full-Disclosure Mail List

[InfoSec News <alerts () infosecnews org>]

http://blog.osvdb.org/2014/03/19/missing-perspective-on-the-closure-of-the-full-disclosure-mail-list/

By jerichoattrition
OSVDB
March 19, 2014

This morning I woke to the news that the Full-Disclosure mail list was 
closing its doors. Assuming this is not a hoax (dangerously close to April 
1st) and not spoofed mail that somehow got through, there seems to be 
perspective missing on the importance of this event. Via Facebook posts 
and Twitter I see casual disappointment, insults that the list was low 
signal to noise, and that many had stopped reading it a while back. I 
don’t begrudge the last comment one bit. The list has certainly had its 
share of noise, but that is the price we pay as a community and industry 
for having a better source for vulnerability disclosure. Speaking to the 
point of mail lists specifically, there were three lists that facilitated 
this: Bugtraq, Full-Disclosure, and Open Source Security (OSS). Bugtraq 
has been around the longest and is the only alternative to Full-Disclosure 
really (remember that VulnWatch didn’t last, and was ultimately low 
traffic). OSS is a list that caters to open source software and does not 
traffic in commercial software. A majority of the posts come from open 
source vendors (e.g. Linux distributions), the software’s maintainer, etc. 
It is used as much for disclosure as coordination between vendors and 
getting a CVE assigned.

One of the first things that should be said is a sincere “thank you” to 
John Cartwright for running the list so long. For those of you who have 
not moderated a list, especially a high-traffic list, it is no picnic. The 
amount of spam alone makes list moderation a pain in the ass. Add to that 
the fake exploits, discussions that devolve into insults, and topics that 
are on the fringe of the list’s purpose. Trying to sort out which should 
be allowed becomes more difficult than you would think. More importantly, 
he has done it in a timely manner for so long. Read the bold part again, 
because that is absolutely critical here. When vulnerability information 
goes out, it is important that it goes out to everyone equally. Many mails 
sent to Bugtraq and Full-Disclosure are also sent to other parties at the 
same time. For example, every day we get up to a dozen mails to the OSVDB 
Moderators with new vulnerability information, and those lists and other 
sources (e.g. Exploit-DB, OffSec, 1337day). If you use one or a few of 
those places as your primary source for vulnerability intelligence, you 
want that information as fast as anyone else. A mail sent on Friday 
afternoon may hit just one of them, before appearing two days later on the 
rest. This is due to the sites being run with varying frequency, work 
schedules, and dedication. Cartwright’s quick moderation made sure those 
mails went out quickly, often at all hours of the day and over weekends.

While many vulnerability disclosers will send to multiple sources, you 
cannot assume that every disclosure will hit every source. Some of these 
sites specialize in a type of vulnerability (e.g. web-based), while some 
accept most but ignore a subset (e.g. some of the more academic 
disclosures). Further, not every discloser sends to all these sources. 
Many will send to a single mail list (e.g. Bugtraq or FD), or to both of 
them. This is where the problem arises. For many of the people still 
posting to the two big disclosure lists, they are losing out on the list 
that was basically guaranteed to post their work. Make no mistake, that 
isn’t the case for both lists.

[...]

--
Find the best IT Security talent without breaking your recruiting budget.
Jobs cross-posted to Simply Hired, Facebook and LinkedIn.
Hot InfoSec Jobs - http://www.hotinfosecjobs.com/