FD Moderation

From SecWiki
Jump to: navigation, search

Full Disclosure Mailing List Moderation Guidelines

Messages to the Full Disclosure Mailing List are moderated to reduce the number of crappy posts. But time is of the essence with a list of this nature, so we try to reduce the moderation delay as much as possible. The current moderators are Fyodor, Brandon Enright, and Daniel Miller. We're planning to recruit more moderators in multiple time zones to further reduce the delay.

The primary criteria when evaluating messages is: does this provide enough useful and security-relevant information to justify mailing it to 11,000 people? All the other rules on this page generally derive from that.


This is the bread and butter of the list. Our preference is for the full advisories to be included in the body of the message itself, including as much technical detail as you can provide. Including a PDF attachment is OK as long as you include a summary in the body of your message. Sending just a link to the vulnerability is problematic because URLs often aren't valid for long, while we've been archiving all the Full-Disclosure posts since the original list started way back in 2002. If must send a link instead of the full advisory text, please also include in the email at least a good summary of the vulnerability, including the affected products, and any technical details you can share about the vulnerability itself. If you are sending full details in the mail itself, there is nothing wrong with ALSO including a link to the advisory on your web site.

Conference Announcements

Conferences are a bit outside the scope of Full Disclosure, but they are also an important resource for the community. And so we allow announcements through if they meet all of these requirements:

  • Security must be the primary focus of the conference. It can't just be one of multiple tracks or topics.
  • The conference must be of interest to the international community of this list. A meetup for people in a smaller geographical area should just be advertised in that area rather than to this international list.
  • Only one post is allowed per conference. So you need to decide whether to post a CFP or a more general announcement or a speaker schedule or some combination of those. Also note that the single-post limit is for an individual conference year. If the conference is held the following year, you can post about it again. A post after the conference providing links to the session videos is also welcome and does not count as their one post of the year.

Jokes, sarcasm, pithy comments

One-liner posts, including jokes and sarcastic comments are generally rejected. Those should just be sent directly to the original poster. We reserve the right to make exceptions in truly hilarious cases.


This list is intended more for facts than opinions, so we generally don't post messages which simply state opinions on a matter. It is best to just send those directly to the original poster. We reserve the right to make exceptions in the cases of particularly epic rants.

Requests for vendor security contacts

We normally don't put these through. If a vendor is ignoring your reports or does not make contact information available, we recommend sending full details of the bug through to the list and hopefully the vendor will see it. After all, this is the Full Disclosure list. And if the vendors don't like that, maybe they will publish security contact information and take the reports seriously.

Tool Announcements

Useful new tools and improvements to existing favorites are valuable contributions to the community. At the same time, listmembers don't want to flooded by announcements of barely relevant tools or minor new versions. So the moderators use these criteria for tool announcements:

  • The tool must be primarily security focused
  • The tool must be freely available. Submissions will generally be rejected if a commercial/paid version exists, even if there is also a demo/trial/limited free version. This isn't a commercial marketing list.
  • Source code must be available to reduce the risk of trojans, etc.
  • Don't flood the list. Unless this is a fast-moving issue such as writing and improving tools related to a newly released vulnerability, announcements should be at least two months apart.
  • Describe the tool in the announcement (even for new versions). New versions should also have important changes and improvements listed in the email. If there aren't any major improvements, don't post it.

Commercial Advertisements/PR posts

This is meant to be a free list for the community, so posts advertising/promoting commercial services or software or pure PR "news" about a company will generally be rejected. Of course some companies post legitimate security research and disclosures in part for the PR value they gain, and that is fine.

Security questions or requests for help

This list currently (March 2015) has 11,000 members and it's usually not the right place to ask general security questions or for help on school/work projects. We normally only accept these when we think the question and answers will be particularly interesting or informative to the Full Disclosure audience. Informed questions about a specific vulnerability posted to the list are often approved since the answers are likely to benefit everyone.

Links to articles, blog posts, papers, videos, webcasts, etc

These are OK as long as they are useful and security-relevant, but please provide at least a few sentences of summary so readers understand the post even if they don't follow the link. We generally reject posts that just contain a URL with no context. We also generally reject anything which requires registration or payment to view.