EFAIL is the name given to a series of vulnerabilities that affect two end-to-end email encryption protocols: OpenPGP and S/MIME . We chose this example not because it is representative of a usual vulnerability disclosure – it is not. We chose it rather because the controversies around it revealed various areas of frictions that highlighted some general disagreements regarding the management of vulnerability disclosure. We unfold the EFAIL disclosure process through four ethnographic descriptions.