d3soteric

The Goodwill Budget: When Being Right Isn't the Whole Job

In security, being correct is the floor, not the finish line. A finding can be technically right, fully defensible, and backed by the published rules — and still be the wrong thing to act on the way you acted on it. That gap is where a lot of hard-won credibility quietly drains away.

I want to give that gap a name: the goodwill budget. It’s the standing willingness of everyone around you — engineers, customers, executives, partners — to keep saying yes to security when you ask. It’s real, it’s finite, and most teams spend it without tracking it. You earn it by being useful and proportionate. You burn it when you make people scramble for something that didn’t warrant the scramble. And unlike a finding, it doesn’t refill on a schedule.

A correct finding, an outsized bill

The clearest recent example is the DigiCert certificate revocation of mid-2024.

The facts are not in dispute. The CA/Browser Forum baseline requirements say that when you validate domain control using a DNS CNAME record, the random value has to be prefixed with an underscore. A legacy path in DigiCert’s system, dating back to a 2019 code change, skipped adding that prefix for a slice of CNAME-based validations. About 0.4% of validations were affected. When DigiCert found it, the rules were unambiguous: certificates issued under a non-conforming validation must be revoked within 24 hours. DigiCert followed them, and over a few days revoked 83,267 certificates.

To DigiCert’s credit, they were doing exactly what the framework requires, and they were transparent about it. This isn’t a story about a company behaving badly. It’s a story about what happens when a correct finding meets a rigid mechanism and nobody stops to weigh the impact.

Because the impact was real. The missing underscore was a conformance gap, not an exploited weakness — the validations still demonstrated control of the domains in practice. The security risk that the revocation actually removed was close to zero. But the cost of the remediation was enormous, and it landed almost entirely on people who had done nothing wrong: thousands of customers given less than a day to re-issue and re-install certificates across production systems, some of them finding out mid-morning that the clock had started overnight. At least one went to court for an emergency order rather than take the outage. A near-zero risk was retired by spending a very large amount of other people’s goodwill.

Three ways good findings go wrong

The pattern generalizes well beyond certificates, and it’s worth being precise about the failure modes, because they’re the ones most security teams hit every week.

A finding spends goodwill unrealistically when the timeline or expectation ignores how the real world works — a 24-hour clock for work that physically takes longer, a “just rotate everything” that assumes an automation maturity the customer doesn’t have. Being right about the deadline on paper doesn’t make the deadline achievable.

It spends goodwill unfairly when the cost falls on people who didn’t create the problem and can’t be blamed for it. The customers in the revocation story didn’t write the legacy code, didn’t pick the rule, and got the bill anyway. When the people who pay aren’t the people who erred, you should expect resentment, and you’ve earned it.

And it spends goodwill unintentionally when nobody meant to torch anything — the process just ran. No single person decided to make thousands of teams scramble; a correct finding entered a rigid mechanism and the mechanism did the rest. Most goodwill is lost this way: not through bad calls, but through good calls with no proportionality check between “this is true” and “act on it now, like this.”

Spending on purpose

None of this argues for letting real issues slide. It argues for treating impact as a first-class part of the job, not an afterthought to correctness.

Separate two questions that teams tend to collapse into one. First: is the finding real? Second, and distinct: what does acting on it cost, who pays it, and is that proportionate to the risk it removes? A finding can pass the first test and fail the second badly. You need an answer to both before you start a clock.

Build the proportionality in before the pressure hits. The time to design an exception path, a phased timeline, or a risk-based grace period is while you’re writing the rule — not at hour 23 with everyone already scrambling. Rules that only have a maximum setting will, eventually, use it on something that didn’t deserve it.

And reserve the big asks. Your ability to demand immediate, expensive action is not the same as it being wise to use it. Every time you spend it on something pedantic, you have less of it left for the day something is genuinely on fire — and that’s the day you’ll need everyone to move without arguing. The credibility you spend being technically right about a low-stakes gap is the exact credibility you’re saving for a real one.

Being right is necessary. It is not sufficient, and it is not free. The teams that last are the ones that know the difference, and spend their goodwill like they’ll need it again — because they will.