Iconic BugTraq safety mailing record shuts down after 27 years

BugTraq, one of many cybersecurity business’s first mailing lists devoted to publicly disclosing safety flaws, introduced as we speak it was shutting down on the finish of the month, on January 31, 2021.

The web site performed an important position in shaping the cybersecurity business in its early, fledgling days.

Established by Scott Chasin on November 5, 1993, BugTraq offered the primary centralized portal the place safety researchers might expose vulnerabilities after distributors refused to launch patches.

The portal existed for a few years in a authorized grey zone. Discussions on the positioning concerning the legality of “disclosing” safety flaws when distributors refused to patch are what formed most of as we speak’s vulnerability disclosure tips, the axioms on which most bug hunters function as we speak.

Today, it sounds cheap for a safety researcher to launch particulars a couple of patched or unpatched bug, however again then, such particulars have been typically controversial, typically leading to many authorized threats.

But as time glided by, BugTraq’s recognition and rules received the day. The portal grew to become the primary place the place many main vulnerabilities have been introduced in an period the place researchers could not simply host private websites and blogs.

Similar bug disclosure lists have been launched following BugTraq’s unique mannequin, and plenty of safety corporations based throughout the years typically ended up scraping the positioning’s content material as a base for their very own vulnerability databases.

BugTraq’s demise

BugTraq itself additionally exchanged palms a number of occasions, from Chasin to Brown University, then to SecurityFocus, which was acquired by Symantec.

The portal’s demise began in 2019 when Broadcom acquired Symantec. Three months later, in February 2020, the positioning stopped including new content material, remaining largely an empty shell.

Today, the positioning’s final maintainers confirmed the portal’s present state of affairs and formalized BugTraq’s passing into infosec lore.

“At this time, resources for the BugTraq mailing list have not been prioritized, and this will be the last message to the list,” the message learn.

Although many noticed it coming, the positioning’s announcement triggered a wave of nostalgia from as we speak’s cybersecurity veterans, lots of which both began or have been energetic on the mailing record since its launch.

“I’d liken it impact to the impact Twitter currently has on the way we communicate today,” stated Ryan Naraine, former director of safety technique at Intel, and one of many cybersecurity business’s veterans.

“Except that it was mandatory to be on there [on BugTraq] to get advisories and live commentary from what wasn’t yet a fully formed security industry.

“So many huge tales have been initially introduced in BugTraq and FullDisclosure [another similar mailing list],” Naraine added.

“It’s the place the Litchfields made their identify within the early days. I keep in mind David Litchfield persistently dropping Oracle hacking instruments and analysis.

“It was the watercooler that connected what was emerging as a security industry.”