It’s not unusual for an IT security story to have twists and turns. With the ever-changing technology on both sides of the good guy/bad guy divide, that’s inevitable.

The story of the CanSecWest “hack-a-Mac” contest is a good example. It started as two researchers exploiting a MacBook Pro vulnerability to win a contest at a Vancouver conference.

It became an assumed flaw in Apple’s Safari web browser.

After some information from TippingPoint, which sponsored the contests, it was clarified to be a flaw in QuickTime that affects all Java-based browsers, which evolved later in the week into a flaw affecting Internet Explorer on Windows operating systems, including Vista.

But today’s big question was, “Did the exploit become public through the wireless network at CanSecWest?” The answer now looks like, “probably not.”

Thomas Ptacek at Matasano Security’s blog followed the reports, closing with an ominous hunch that the vulnerability could turn into something big and a conclusion that blogs may not be the best place for exploit disclosure.