grok.org.uk:/#
[ docs | tools | advisories | full-disclosure | about ]

The FD list has shut down and been replaced with a spiritual successor here. As such this document exists purely for historical interest.

The [Full-Disclosure] FAQ

John Cartwright <johnc@grok.org.uk>
Last updated: March 2013

History and Purpose

What is [Full-Disclosure]?

The [Full-Disclosure] Mailing List (or 'FD' for short) is an email list primarily concerned with the announcement and discussion of security vulnerabilities. The list is named after the concept of 'full disclosure' – that is, providing all of the details about something, and not withholding information, so that an informed decision is possible.

The list is governed by a charter, available at http://www.grok.org.uk/full-disclosure/charter.html.

Who is responsible for it?

The list was the brainchild of Len Rose and John Cartwright. Following discussions in early 2002, Len created the list (at lists.netsys.com) on 9th July 2002, and management of the list was shared between Len and John until Len's retirement in October 2004. John then took on full-time operation of the list, which moved to its current home at lists.grok.org.uk in 2005.

It is widely believed that the creation of the list was related to the August 2002 acquisition of Bugtraq by Symantec. In reality, this was coincidental.

Who sponsors [Full-Disclosure]?

The list has been sponsored by Secunia (http://secunia.com/) since 2005. They generously provide the hardware and network connectivity needed to keep the list running.

It is one of the stated aims of the project to keep the mailing list free of any corporate control, and the list is operated as a non-profit service in order to meet this goal.

Subscription

How do I join the list?

Simply subscribe at http://lists.grok.org.uk/mailman/listinfo/full-disclosure. A password will be automatically generated for you – use the web-based form to request a reminder if you wish to log in and set options. Options available include 'digest' and 'nomail' – the latter being useful for posting-only accounts who do not wish to receive list traffic via email.

How do I leave the list?

Use the web-based form at http://lists.grok.org.uk/mailman/listinfo/full-disclosure to request a password reminder if needed. Then simply use these credentials to remove yourself from the list.

Moderation

Is the list moderated?

The list was originally completely unmoderated. However, following the move to lists.grok.org.uk, 'light moderation' was introduced in 2010 by John Cartwright due to a number of concerns, primarily related to legal differences in Europe vs. the US.

Subscribers who were members of the list before then are not moderated.

Please see the archived copy of the relevant Administrivia at http://lists.grok.org.uk/pipermail/full-disclosure/2010-March/073809.html for further details.

What does 'lightly-moderated' mean?

The list administration will spend the least amount of time possible (if any) deciding if a post is acceptable according to the list charter. This is primarily concerned with filtering obviously defamatory posts that could cause the list or its management legal trouble. The majority of accounts are not moderated in any way.

How does an address become moderated?

New subscribers are placed into a moderated state. Additionally, existing addresses may become moderated due to repeated or serious off-topic or abusive posts.

How does an address become unmoderated?

A moderated poster may become unmoderated at the discretion of the list administration, based on factors such as quality of posts, reputation, and general behaviour.

List Archives

Where is the list archived?

The official archive of postings is available at http://lists.grok.org.uk/pipermail/full-disclosure/.

There are also a number of third-party archives.

How do I get content removed from the archives?

Please contact the list administrator in the first instance. A clear, legally justified reason for takedown must be provided to prevent unjustified censorship.

Many third-party archives maintain their own policies, which must be followed for removal requests.

Why are some archive links broken?

Due to software limitations and occasional removal of posts for legal reasons, some archive URLs became invalid over the years. Contact the list administrator for assistance in finding the correct URL.

Miscellaneous

What are your views on the full disclosure debate?

"For the record, I don't believe full disclosure of all security bugs is a good thing – but I do believe in all or nothing. If someone decides to tell the world, then they should provide all the necessary details. That is the real purpose of the FD list, in my opinion." – John Cartwright