diff --git a/src/or/config.c b/src/or/config.c
index 230ccf25c06be3aeeb0f46f104fa148f81c756d4..78e433620df13714afea07680fe7c29a717a5029 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -269,6 +269,8 @@ static config_var_t _option_vars[] = {
   V(GeoIPFile,                   FILENAME,
     SHARE_DATADIR PATH_SEPARATOR "tor" PATH_SEPARATOR "geoip"),
 #endif
+  V(GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays,
+                                 BOOL,     "0"),
   OBSOLETE("Group"),
   V(HardwareAccel,               BOOL,     "0"),
   V(AccelName,                   STRING,   NULL),
diff --git a/src/or/dirserv.c b/src/or/dirserv.c
index fa7f693afe4c91389021d79014ace3e95a0022c3..c427fe2ef36097064c86d1c4da45c66d60eb3a0c 100644
--- a/src/or/dirserv.c
+++ b/src/or/dirserv.c
@@ -2332,6 +2332,7 @@ set_routerstatus_from_routerinfo(routerstatus_t *rs,
                                  int naming, int listbadexits,
                                  int listbaddirs, int vote_on_hsdirs)
 {
+  const or_options_t *options = get_options();
   int unstable_version =
     !tor_version_as_new_as(ri->platform,"0.1.1.16-rc-cvs");
   memset(rs, 0, sizeof(routerstatus_t));
@@ -2363,7 +2364,8 @@ set_routerstatus_from_routerinfo(routerstatus_t *rs,
        router_get_advertised_bandwidth(ri) >=
                               MIN(guard_bandwidth_including_exits,
                                   guard_bandwidth_excluding_exits)) &&
-      is_router_version_good_for_possible_guard(ri->platform)) {
+      (options->GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays ||
+       is_router_version_good_for_possible_guard(ri->platform))) {
     long tk = rep_hist_get_weighted_time_known(
                                       ri->cache_info.identity_digest, now);
     double wfu = rep_hist_get_weighted_fractional_uptime(
diff --git a/src/or/or.h b/src/or/or.h
index 8638f2099708ea73996a260b7d13fc1bae395aef..7d50e1f5054409b651c38ea3b610e0cef9c0fc04 100644
--- a/src/or/or.h
+++ b/src/or/or.h
@@ -2672,6 +2672,10 @@ typedef struct {
                                      * number of servers per IP address shared
                                      * with an authority. */
 
+  /** Should we assign the Guard flag to relays which would allow
+   * exploitation of CVE-2011-2768 against their clients? */
+  int GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays;
+
   char *AccountingStart; /**< How long is the accounting interval, and when
                           * does it start? */
   uint64_t AccountingMax; /**< How many bytes do we allow per accounting