The FD list has shut down and been replaced with a spiritual successor here. As such the following document exists purely for historical interest.
John Cartwright <johnc@grok.org.uk>
Last updated: March 2013
The [Full-Disclosure] Mailing List (or 'FD' for short) is an email list primarily concerned with the announcement and discussion of security vulnerabilities. The list is named after the concept of 'full disclosure' - that is, providing all of the details about something, and not withholding information, so that an informed decision is possible.
The list is governed by a charter, available at http://www.grok.org.uk/full-disclosure/charter.html.
The list was the brainchild of Len Rose and John Cartwright. Following discussions in early 2002, Len created the list (at lists.netsys.com) on 9th July 2002, and management of the list was shared between Len and John until Len's retirement in October 2004. John then took on full-time operation of the list, which moved to its current home at lists.grok.org.uk in 2005.
It is widely believed that the creation of the list was related to the August 2002 acquisition of Bugtraq by Symantec. In reality, this was simply coincidental.
The list has been sponsored by Secunia (http://secunia.com/) since 2005. They generously provide the hardware and network connectivity needed in order to keep the list running.
It is one of the stated aims of the project to keep the mailing list free of any corporate control, and the list is operated as a non-profit service in order to meet this goal.
Simply subscribe at http://lists.grok.org.uk/mailman/listinfo/full-disclosure. A password will be automatically generated for you - use the web-based form to request a reminder if you wish to log in and set options. Options available include 'digest' and 'nomail' - the latter being useful for posting-only accounts who do not wish to receive list traffic via email.
Use the web-based form at http://lists.grok.org.uk/mailman/listinfo/full-disclosure to request a password reminder if needed. Then simply use these credentials to remove yourself from the list.
The list was originally completely unmoderated. However, following the move to lists.grok.org.uk, 'light moderation' was eventually introduced in 2010 by John Cartwright due to a number of concerns, primarly due to the different legal climate in Europe vs. that afforded by the list's US-based origins.
Subscribers who were members of the list before then are not moderated.
Please see the archived copy of the relevant Administrivia at http://lists.grok.org.uk/pipermail/full-disclosure/2010-March/073809.html for further details.
The list administration will spend the least amount of time possible (if any) in deciding if a post is acceptable according to the list charter. This activity is primarily concerned with filtering obviously-defamatory posts that could cause the list or its management legal trouble. Note that the majority of accounts are not moderated in any way.
Unlike the subscriber addresses that existed before moderation was introduced, new subscribers are now placed into a moderated state. Additionally, existing addresses may become moderated due to repeated or serious off-topic or abusive posts.
A moderated poster may become unmoderated at the discretion of the list administration. This is based on a number of factors such as quality of posts, reputation of the poster, general behaviour, etc.
The official archive of postings is available at http://lists.grok.org.uk/pipermail/full-disclosure/.
There are also a number of third party archives in operation, some of which are listed at http://www.grok.org.uk/full-disclosure/mirrors.html.
Please contact the list administrator in the first instance. Note that a clear, legally-justified reason for takedown must be provided in order to prevent unjustified censorship of list content.
It is important to note that many third parties maintain their own unofficial archives which have their own policies and procedures which must be followed in order to request content removal.
Due to software limitations and the need to occasionally remove posts for legal reasons, a number of archive URLs became invalidated over the years. Tracking down the correct URL in such an instance is usually straightforward - please contact the list administrator for assistance.
"For the record, I don't believe full disclosure of all security bugs is a good thing - but I do believe in all or nothing. If someone decides to tell the world, then I think they should provide all the necessary details. That is the real purpose of the FD list, in my opinion." - John Cartwright