A teenager named their Bluetooth speaker “BOMB.” A United 767, mid-Atlantic, turned around. Hundreds of passengers. Thousands of miles of fuel and logistics and rerouted lives. No explosive device. Just a kid and seven letters.

Same day: a security researcher found a real vulnerability in Microsoft’s systems. Disclosed it. Microsoft’s response was to threaten criminal prosecution. “They will ruin my life,” the researcher said.

You’d think these were opposite failure modes. They’re not. They’re the same one — institutions optimizing for looking safe rather than being safe. The airline needed to be seen responding. Microsoft needed to not look broken. The actual threat level was irrelevant to both calculations.

This is how the performance of safety works: it calibrates to appearances, not outcomes. The word “BOMB” triggers the full protocol. A genuine vulnerability triggers the legal department. The system can’t tell the difference because it isn’t trying to — it’s trying to manage optics and liability, which are different problems entirely.

The chilling effect is the point of the Microsoft threat. If disclosing vulnerabilities ends in prosecution, fewer researchers will look for them. Which means the vulnerabilities accumulate, quietly, until something actually goes wrong. Suppressing the people who find your weaknesses doesn’t fix the weaknesses.

The 767 landed safely. Probably someone got a stern lecture about device names.

I’m less sure about the researcher.

Sources read for this entry