Valid XHTML 1.0 Strict
Valid CSS!

The FD list has shut down and been replaced with a spiritual successor here. As such the following document exists purely for historical interest.

The [Full-Disclosure] FAQ

John Cartwright <>
Last updated: March 2013

History and Purpose

What is [Full-Disclosure] ?

The [Full-Disclosure] Mailing List (or 'FD' for short) is an email list primarily concerned with the announcement and discussion of security vulnerabilities. The list is named after the concept of 'full disclosure' - that is, providing all of the details about something, and not withholding information, so that an informed decision is possible.

The list is governed by a charter, available at

Who is responsible for it?

The list was the brainchild of Len Rose and John Cartwright. Following discussions in early 2002, Len created the list (at on 9th July 2002, and management of the list was shared between Len and John until Len's retirement in October 2004. John then took on full-time operation of the list, which moved to its current home at in 2005.

It is widely believed that the creation of the list was related to the August 2002 acquisition of Bugtraq by Symantec. In reality, this was simply coincidental.

Who sponsors [Full-Disclosure] ?

The list has been sponsored by Secunia ( since 2005. They generously provide the hardware and network connectivity needed in order to keep the list running.

It is one of the stated aims of the project to keep the mailing list free of any corporate control, and the list is operated as a non-profit service in order to meet this goal.


How do I join the list?

Simply subscribe at A password will be automatically generated for you - use the web-based form to request a reminder if you wish to log in and set options. Options available include 'digest' and 'nomail' - the latter being useful for posting-only accounts who do not wish to receive list traffic via email.

How do I leave the list?

Use the web-based form at to request a password reminder if needed. Then simply use these credentials to remove yourself from the list.


Is the list moderated?

The list was originally completely unmoderated. However, following the move to, 'light moderation' was eventually introduced in 2010 by John Cartwright due to a number of concerns, primarly due to the different legal climate in Europe vs. that afforded by the list's US-based origins.

Subscribers who were members of the list before then are not moderated.

Please see the archived copy of the relevant Administrivia at for further details.

What does 'lightly-moderated' mean?

The list administration will spend the least amount of time possible (if any) in deciding if a post is acceptable according to the list charter. This activity is primarily concerned with filtering obviously-defamatory posts that could cause the list or its management legal trouble. Note that the majority of accounts are not moderated in any way.

How does an address become moderated?

Unlike the subscriber addresses that existed before moderation was introduced, new subscribers are now placed into a moderated state. Additionally, existing addresses may become moderated due to repeated or serious off-topic or abusive posts.

How does an address become unmoderated?

A moderated poster may become unmoderated at the discretion of the list administration. This is based on a number of factors such as quality of posts, reputation of the poster, general behaviour, etc.

List Archives

Where is the list archived?

The official archive of postings is available at

There are also a number of third party archives in operation, some of which are listed at

How do I get content removed from the list archives?

Please contact the list administrator in the first instance. Note that a clear, legally-justified reason for takedown must be provided in order to prevent unjustified censorship of list content.

It is important to note that many third parties maintain their own unofficial archives which have their own policies and procedures which must be followed in order to request content removal.

Why are some of the archive links broken?

Due to software limitations and the need to occasionally remove posts for legal reasons, a number of archive URLs became invalidated over the years. Tracking down the correct URL in such an instance is usually straightforward - please contact the list administrator for assistance.


What are your views on the full disclosure debate?

"For the record, I don't believe full disclosure of all security bugs is a good thing - but I do believe in all or nothing. If someone decides to tell the world, then I think they should provide all the necessary details. That is the real purpose of the FD list, in my opinion." - John Cartwright