In both information security and aviation. sharing information on risks, threats, incidents and consequences is viewed as fundamental to the avoidance and prevention of future failures and accidents. The information security community also often seems better at reporting problems with things, as opposed to problems with processes. In both disciplines, there are disincentives to admitting and sharing our mistakes and surprises. Sometimes that’s due to fear of regulatory or legal liability, sometimes it’s for competitive reasons, and sometimes we just don’t want to look stupid. In the aviation world, there is a surprisingly enlightened system in place for the reporting of operational incidents.The Aviation Safety Reporting System is set up to protect the anonymity of people submitting reports, incorporates some protections from liability, and was set up in a way that separates the agencies receiving reports from those that have enforcement authority. This talk is intended to stimulate discussion about how this sort of system might help the security world learn more intelligently about exactly how things go wrong with operations, not just during product or software development.