Why is Full-Disclosure shutting down?
The whole point of the Full-Disclosure mailing list by definition is full disclosure about security vulnerabilities, which can sometimes be a dicey issue. There is a right and a wrong way to do disclosure, and I’ve long been of the opinion that vendors should always be notified first and given some time to respond. That’s just fair. I had long suspected that at some point a vendor would claim it wasn’t contacted or given enough time, and that would trigger some form of legal request for Full-Disclosure’s shutdown. In his final Full-Disclosure posting, Cartwright wrote that he too had thought the end would likely come from some kind of vendor request.
The end of Full-Disclosure, however, is not coming because of a vendor request. Surprisingly, it’s coming because of a security researcher.