Disclosing Software Vulnerabilities: An Ethical Perspective

Naturally, we want our software and the services that we use to be secure, and this often requires discovering vulnerabilities and taking actions to fix them. But what is the right way to disclose vulnerabilities to vendors and the public? Many researchers will find themselves in the position of finding and disclosing vulnerabilities, often accidentally. What it is not so known is that such activities can have legal and ethical implications that vary depending, for example, on how vulnerabilities are discovered, on to whom they are disclosed, and how the public is informed. Well intended researchers look to improve the security of software products in collaboration with the vendors while minimising the negative impact of letting someone taking advantage of a vulnerability. However, in some countries researchers are forced to seek to defend themselves in legal proceedings, because their research on security is considered as criminal hacking. In others, it is not clear whether such research is welcome or if they are protected. As such, they may not know how to behave when discovering a vulnerability.
account creation

TO READ THIS ARTICLE, CREATE YOUR ACCOUNT

And extend your reading, free of charge and with no commitment.

Register


Login

Your Benefits

  • Access to all content
  • Receive newsmails for news and jobs
  • Post ads

myScience