Iconic BugTraq Security Mailing List Shuts Down After 27 Years

BugTraq, one of the cybersecurity industry's first mailing lists dedicated to publicly disclosing security flaws, announced today it was shutting down at the end of the month, on January 31, 2021.

The site played a crucial role in shaping the cybersecurity industry in its early, fledgling days.

Established by Scott Chasin on November 5, 1993, BugTraq provided the first centralized portal where security researchers could expose vulnerabilities after vendors refused to release patches.

The portal existed for many years in a legal gray zone. Discussions on the site about the legality of "disclosing" security flaws when vendors refused to patch are what shaped most of today's vulnerability disclosure guidelines, the axioms on which most bug hunters operate today.

Today, it sounds reasonable for a security researcher to release details about a patched or unpatched bug, but back then, such details were often controversial, sometimes resulting in many legal threats.

But as time went by, BugTraq's popularity and principles won the day. The portal became the first place where many major vulnerabilities were announced in an era where researchers couldn't easily host personal sites and blogs.

Similar bug disclosure lists were released following BugTraq's original model, and many security firms founded across the years often ended up scraping the site's content as a base for their own vulnerability databases.

BugTraq's demise

BugTraq itself also exchanged hands several times, from Chasin to Brown University, then to SecurityFocus, which was acquired by Symantec.

The portal's demise started in 2019 when Broadcom acquired Symantec. Three months later, in February 2020, the site stopped adding new content, remaining mostly an empty shell.

Today, the site's last maintainers confirmed the portal's current state of affairs and formalized BugTraq's passing into infosec lore.

"At this time, resources for the BugTraq mailing list have not been prioritized, and this will be the last message to the list," the message read.

Although many saw it coming, the site's announcement triggered a wave of nostalgia from today's cybersecurity veterans, many of which either started or were active on the mailing list since its launch.

"I'd liken it impact to the impact Twitter currently has on the way we communicate today," said Ryan Naraine, former director of security strategy at Intel, and one of the cybersecurity industry's veterans.

"Except that it was mandatory to be on there [on BugTraq] to get advisories and live commentary from what wasn't yet a fully formed security industry.

"So many big stories were originally announced in BugTraq and FullDisclosure [another similar mailing list]," Naraine added.

"It's the place the Litchfields made their name in the early days. I remember David Litchfield consistently dropping Oracle hacking tools and research.

"It was the watercooler that connected what was emerging as a security industry."