The IT Security Research Vulnerability Disclosure Metaphor

Imagine that I am an expert on the subject of an imaginery species of elephant, and all aspects of its behavior.  Having studied them at length, I've discovered that almost any given specimen of this imaginery species will go berserk if it gets a jalapeno chile in its trunk. 

It has come to my attention that the local zoo is selling jalapenos to tourists, and from a stand right by the imaginery spiecies of elephant enclosure, no less.  I go to the zoo keepers with my findings, but they scoff at the danger, and show no inclination towards fixing this safety problem!  They considered my behavioral factoids to be so obscure as to render harmless this terrible danger; of course they are wrong, I am right, it's irrefutable. 

So now it's up to me, to make the public aware of this (and gain recognition for my work as well,) and ultimately compel the zoo to cease the sale of jalapenos.  So I go to the zoo, I purchase some jalapenos from the stand, I find some empty peanut shells, and stuff them with jalapenos, as proof of concept.  But what to do with them, that wouldn't be culpable?

I happen to notice a group of al Queda terrorists lustfully eyeing the females in the camel exhibit.  Coincidently, I also happen to know a little about Arab terrorists, and I fully expect them to be highly interested in any discovery that will cause random harm.   I walk to within earshot and procede to explain my discovery to no one in particular.  I point-out the stand that sells both jalapenos and peanuts, and demonstrate the construction of a jalapeno-stuffed peanuts, though I'm careful not to leave any of mine when I walk away. 

In doing so I attract the terrorists' attention, and thereby virtually guarantee they will attempt to exploit my findings.  When they do, I fully expect some of the elephants to come unglued, and I also expect the onlooking crowd to be in grave danger when this shortly occurs. 

So I quickly move to a patch of high ground, from which to watch the drama unfold.  Predictably, the terrorists start lobbing jalapeno-stuffed peanuts into the area where the elephants are feeding.  More predictably, one of the elephants picks-up one with his trunk.  And most predictably, that elephant flips, completely out of control, crashes out of its enclosure, and tramples dozens of people to death. Hundreds more are injured as the huge beast escapes the zoo, and thousands are delayed when sharp-shooters must kill the elephant as it's charging down the middle of an interstate freeway, during rush hour traffic.

Now, it is true that I personally did not directly cause any of the mayhem -- in that I did not bring the elephants or the tourists to the zoo, I did not decide to sell jalapenos at the food stands, I did not sell admission tickets to the terrorists, and most of all, I did not feed the jalapenos to the elephants.  I didn't even tell the terrorists about elephants' behavior, I was merely publishing my findings for the public.

However, I knew with certainty the danger of being near a freaked-out elephant.  I knew the Arabs were more than likely to jump at the chance to cause random destruction, and I knew that people would be crushed when the elephant wigged-out. 

I knew the terrorists would have access to the information I published -- indeed I expected them to take notice.  If not for my publication, they would never have thought to try this, and their damage for the day would've been limited to the chastity of a few most-attractive camels, at worst.

When I disclosed my findings to the public, I advised explicitly that this must not be attempted with real elephants and/or people nearby.  Further, to protect myself legally, I notified the public in writing of the inherent dangers, and specifically disclaimed any/all liability for damage incurred by their actions, should anyone fail to heed my advise. 

By virtue of the disclosure noted above, I perceive no responsibility for the actions of the terrorists -- even though I was well aware of their intentions.  I had no reason at all to believe they'd respect my alleged concern for life and property, and every reason to believe they would use the information I provided to perpetrate an act of violence, the likes of which they would otherwise have been incapable, had I not taught it to them.  Yet I still color myself blameless?

The questions:


Copyright ©2008 Mark J. McGinty, All rights reserved