This essay shows that the EFAIL disclosure took many forms at different times: Like a proton in a high energy physics experiment, the impact of disclosure created different simultaneous strains transforming what the researchers discovered into various versions of EFAIL: it morphed into an urgent threat for journalists and activists, a communication fiasco severely criticized, another reason to abandon OpenPGP adding to a two-decade old polemics about the standard, a series of technical issues to define and to fix separately, a series of remedies to negotiate and assess, an academic paper, a myriad of discourses about what should be a respectful and ethical vulnerability management as well as a CVE number, a logo and a domain name.
However, tracing these metamorphoses of the EFAIL vulnerabilities only tells the half of the stories. Indeed, other disclosures took place behind the scene: the researchers contacted vendors ad developers months before the public disclosure. They also contacted the EFF and other concerned “infosec” groups including the USENIX committee and journalists prior to Schinzel’s tweet.
Like in any ethnographic research, we were not able to follow every step and discussion related to EFAIL that took place behind the scenes. Perhaps nobody could grasp the complete processes, not even the EFAIL researchers themselves. Nevertheless, we can observed how the EFAIL vulnerabilities acted in the world to materialize themselves through the activation of different, but sometimes intersecting planes. In the research process, the different planes became more definite only when we could determine what was the properties of the particular manifestation of EFAIL we were observing. Each of these planes debated what EFAIL was, using different discursive registers and coalescing different participants and audiences together. Yet, these four planes remained all closely related to the EFAIL vulnerabilities discovered by Schinzel and his team. Thus, following the trajectories of vulnerabilities – their many disclosures and their impacts in the infosec arena – allows us to witness the making and unmaking of computer security without defining a priori our ethnographic research to few expert groups or sites of deliberation.