Iconic BugTraq Safety Mailing List is closed after 27 years

BugTraq, one of the first mailing lists of the cybersecurity community devoted to public disclosure of security vulnerabilities, announced that it had closed at the end of the month, January 31, 2021.

The platform played a key part in influencing the cybersecurity market in its early, early days.

Created by Scott Chasin on 5 November 1993, BugTraq offered the first unified platform for security researchers to reveal vulnerabilities after vendors failed to issue patches.

The portal has been in the ethical grey zone for many years. Discussions on the web over the legitimacy of “disclosing” security bugs as vendors failed to fix are what influenced much of today’s vulnerability disclosure rules, the axioms that most bug hunters are focused on today.

Nowadays, it seems reasonable for a security researcher to reveal information about a patched or unpatched flaw. Still, those details were sometimes problematic back then, often resulting in a lot of legal challenges.

But as time went on, the success and ideals of BugTraq ruled the day. The gateway is the first location where many big bugs were announced when researchers could not effectively host personal websites and blogs.

Similar bug disclosure lists have been published using BugTraq’s initial model. Several of the protection companies that have been formed over the years also ended up scraping the site’s material as a foundation for their own vulnerability databases.

BugTraq has switched hands several times, from Chasin to Brown University, and then to SecurityFocus, purchased by Symantec.

The end of the portal began in 2019 after Broadcom purchased Symantec. Three months later, in February 2020, the site began adding new content, much of which stayed vacant.

Today, the site’s last maintainers confirmed the portal’s present status and formalized BugTraq’s entrance into the infosec lore.

“At this time, resources for the BugTraq mailing list have not been prioritized, and this will be the last message to the list,” the message read.

While many saw it coming, the site’s announcement sparked a surge of nostalgia from today’s cybersecurity veterans, many of whom have already begun or have been involved on the mailing list since it was introduced.

The former director of security strategy at Intel, and one of the cybersecurity industry’s veterans, Ryan Naraine, said that He’d liken that to Twitter’s effect on the way they connect now.