In the world of Information Security, there is great potential for conflict between the research aims of academics on the one hand, and the interests of industry and government on the other. As just one example, consider the implications of publishing an academic research paper describing a cryptographic flaw in the Data Encryption Standard (DES). Even today, with DES in its original form gradually being phased out in most applications, this would be headline news in the academic community. If this event had occurred 10 or 20 years ago, then a good deal more might have been at stake: assuming the flaw to be sufficiently serious, such a paper would have had a potentially major commercial and financial impact, and could have dented public confidence in the development and standardization processes that produced DES.

Faced with such a situation how should academic researchers behave? Should they avoid sensitive targets where the discovery of flaws would have more than simply academic consequences? Or should they home in on targets of this type, taking the view that the sooner we know the weaknesses, the sooner they will be rectified? If they choose the former path and do find a flaw, what is the best route to publicize their findings? After all, the dictum “publish or perish” was never more true for academics than it is today, with enormous pressures on them to produce high-impact research. What then is the best way to advise interested parties in industry and government so they can react? How can these parties even be identified? Is it a good idea to attempt to generate press headlines so as to spread the news as quickly as possible, or would this simply smack of irresponsible scare mongering? And what is the role of the press in all this?


These are all important questions to which there is no clear cut simple ‘correct’ answer. However, we will describe one way that a balance can be struck between the competing interests of academics (wishing to publish their findings) and other parties needing to react to news of a flaw (by deploying patches, updating systems, and so on).