To benefit from the work I put into my typography, read natively at: Responsible Disclosure? How About Responsible Behavior?.

—

A vulnerability was discovered today in Apple’s laptops that allows you to log into a root account with no password.

I am not 100% sure what Responsible Disclosure means. Seems like it has lots of definitions, and that they change based on the person and over time. So requiring someone to “responsibly disclose” something—according to whatever arbitrary definition they’re using—seems like a silly and unrealistic standard.

But maybe it’ll be easier to agree on responsible behavior. And sometimes it’s easier to transfer the situation to another industry to remove our watch-strap bias.

Something orange and green in a Petri dish

Let’s say I’m a smart, young biologist and I just ordered a new do-it-yourself CRISPR kit. And let’s say I just stumbled onto a way—after 7 weeks of backbreaking orthogonal research—to make Ebola live longer in a dormant state while simultaneously being more deadly. So if it were released it could kill millions or even billions of people.

Again, in this situation there seem to be a lot of different ways to do the right thing. The path is not clear. But I absolutely know what not to do.

It’s not ok to find an ISIS representative online and sell the secret for $400,000 so my kids can go to Harvard.
I’m not going to make a mural of the DNA sequence of the new strain, and paint it on the side of my house and invite the local news to film it.
I’m not going to email the Vatican and say, “Hey, you might want to let God know his underwear is showing.”
And I’m not going to get on Twitter and say, “Hey, anyone with a CRISPER kit—order a sample from here and then do X, Y, Z to create a civilization-ending virus.”

Now, if you’re feeling particularly spunky you might say something like,

Well, why not? Who are you to tell me what to do with my research? I was the one who put the effort into this and got the result, so why am I being told what I can do with my own finding?

Again, that’s a great reaction to someone telling you that you absolutely must follow procedure 244889.2b, subsection 11, which starts with filling out 49 forms and setting yourself on fire.

That’s mighty specific, and people might have differing opinions on the point. But I have to say, something like, calling the CDC and saying you found something they need to see might be a great option.

Now you might be putting yourself at risk by doing this, especially if you’re in a particularly bad security climate. Or maybe your name is Mohammed McVeigh, and you don’t like when the FBI shows up.

But let me put an idea out there:

When life presents choices to moral people, it also removes some of the options.

Good people don’t get to sell the virus to ISIS. They don’t get to put it in the water supply in the name of science. And they don’t get to claim that they own the virus, or the decision of what to do with it, just because they discovered it.

And yes, it’s the same with the cybers.

If this had been an insta-root exploit for all Apache servers on the internet, for example, there would still be lots of right answers for how to handle it. I don’t think forcing researchers to follow some sort of strict protocol that applies to all situations is the right answer. Give them some freedom and autonomy to do the right thing.

But there would also be lots of wrong answers.

Getting on Twitter with, “OMG Apache security sux. NGNIX 4Lyfe. https://pastebin.com/88sl2eel20f02l2se4”.
Compromising every box you can find on the internet to do a cool talk in Vegas next year.
Putting the exploit on the black market so you can retire early.

These aren’t bad options because of cyber. Or because of some dumb thing called Responsible Disclosure. Screw that, and screw cyber.

They’re bad options because they are immoral. They place the good of the discoverer (fame, money, etc.) above the harm to others (disruption, financial loss, safety, etc.).

There’s a ton of grey area here, of course, because not everything is Ebola and root Apache exploits. In the case of this Apple thing, there were clearly lots of right moves—not just one—but when you have a super responsive security team that would have fixed this quickly, and probably rewarded them handsomely on top—I’m not sure dumping it on Twitter was one of them.

We don’t have to pick between either following a dogmatic and arbitrarily defined disclosure procedure and absolute chaos and mayhem.

Just like in regular life, there are ways to do the right thing somewhere in the middle.

—

I spend 5-20 hours a week collecting and curating content for the site. If you're the generous type and can afford fancy coffee whenever you want, please consider becoming a member at just $10/month.

Begin Membership

Stay curious,

Daniel