There is a mailing list called Bugtraq which I have been reading every day for about a month.
It is run by Aleph One. It is a full-disclosure list, which means people post the actual details of vulnerabilities they have found in commercial and free software, sometimes with proof-of-concept code, almost always with enough information to reproduce the issue. There is an ongoing argument in the community about whether full disclosure is irresponsible. I have not yet decided what I think about that argument. What I can say is that reading the list every day is the single most useful thing I have done as someone trying to learn this discipline.
Why a mailing list
Websites had not really taken over yet when this culture formed. The mailing list is still the natural unit of conversation in the security world, and it has some properties I have come to appreciate.
First, the threading. A vulnerability post arrives. People reply with refinements, with patches, with confirmation of the issue on other platforms. The conversation is preserved. You can follow the whole arc.
Second, the lack of editorial layer. There is a moderator, but no journalist mediates between the researcher and the reader. You see the original report. You see what the vendor said. You see whether the vendor's response was reasonable.
Third, the cadence. A few dozen messages a day. It is a lot to keep up with, but it is finite.
The first month is humiliating
For the first three weeks I understood maybe a third of what I read. The vocabulary alone is a hill: stack overflow, format string, race condition, off-by-one, signedness bug, setuid. Each one is its own little discipline. Every vulnerability post is essentially a five-paragraph essay assuming the reader already knows the discipline.
I made a rule for myself. If I did not understand a post, I would mark it and come back to it at the weekend. Sundays became reading days. I work through the unread pile, looking up everything I did not know on the way. Some of those entries become their own follow-up reading. The pile shrinks slowly.
The thing the list teaches you that no book does
Books describe categories of vulnerability. Bugtraq shows you the texture of them: the way a particular sendmail bug looks, the way the report is phrased, the way the patch reasons about the fix. After a month of texture, you start to notice patterns nothing taught you to look for.
The other thing the list teaches you is humility. The names that show up most often — names you start recognising — clearly have decades of experience between them. Reading their posts is like sitting at the back of a senior common room.
What I have started doing with the posts
I have started keeping a notebook of vulnerabilities I have read about, organised loosely by category. When I install something on my own box, I check whether it has shown up on the list recently. I have been bitten once or twice by not checking, which has reinforced the habit nicely.
Next post: my first attempt at writing ipfwadm rules, which I have spent the last week trying to make less embarrassing.