Homework 1 - Case Study on Professional Ethics

Researchers focusing on vulnerability discovery, code analysts working for clients, and security assurance code analysts working for an employer all share a professional code of ethics. For the most part, this code of ethics follows those prescribed by security organizations such as (ISC)², ISACA, and ISSA.

Professional ethics resources:

• (ISC)²: https://www.isc2.org/ethics/default.aspx
• ISACA: http://www.isaca.org/Certification/Code-of-Professional-Ethics/Pages/default.aspx
• ISSA: http://www.issa.org/?page=codeofethics
• Certified Ethical Hacker: http://www.eccouncil.org/Support/code-of-ethics

When it comes to vulnerability analysis one of the biggest ethical debates centers around how to disclose discovered vulnerabilities. There are three basic models for vulnerability disclosure:

• Full Disclosure - Publish all information about the vulnerability without contacting vendor about the issue. Full disclosure is intended to let users have knowledge of the risk and possible mitigation measures as soon as possible. Proponents also feel full disclosure pressures the vendors to respond to vulnerabilities that they might otherwise ignore.
• Non-disclosure - Keep the vulnerability information private or just send the vulnerability information to the software vendor and never publish the information. Ethical non-disclosure can also involve non-disclosure agreements, which are typical of third party source code audits of proprietary software. Non-ethical non-disclosure can involve selling the vulnerability to the "highest bidder" or otherwise using it for personal gain (e.g. writing exploits, trading it on the black market for other vulnerability information, etc.)
• Coordinated/Responsible Disclosure - First send the vulnerability just to the vendor (or to a neutral third party who handles the rest of the disclosure process). Give the vendor sufficient time to verify the vulnerability and devise a fix. Coordinate the release of the fix/patch and the publication of information about the vulnerability. If the vendor does not respond in a timely fashion, fully publish the vulnerability to inform the users and put pressure on the vendor (as with full disclosure).

Whitepapers and Blogs on Vulnerability Disclosure:

• Open Security Research blog (quick overview): http://blog.opensecurityresearch.com/2014/06/approaches-to-vulnerability-disclosure.html
• SANS whitepaper: http://www.sans.org/reading-room/whitepapers/threats/define-responsible-disclosure-932
• Organization for Internet Safety (Symantec) whitepaper: http://www.symantec.com/security/OIS_Guidelines%20for%20responsible%20disclosure.pdf

• CERT: http://www.cert.org/vulnerability-analysis/vul-disclosure.cfm?
• ISC-CERT: https://ics-cert.us-cert.gov/ICS-CERT-Vulnerability-Disclosure-Policy
• Zero Day Initiative: http://www.zerodayinitiative.com/advisories/disclosure_policy/
• Microsoft: https://technet.microsoft.com/en-us/security/dn467923.aspx
• IETF (Draft): https://tools.ietf.org/html/draft-christey-wysopal-vuln-disclosure-00
• ICANN: https://www.icann.org/en/system/files/files/vulnerability-disclosure-05aug13-en.pdf

• Google Online Security blog: http://googleonlinesecurity.blogspot.com/2010/07/rebooting-responsible-disclosure-focus.html
• InfoSec Community Forum response to Google Online Security blog: https://isc.sans.edu/forums/diary/Responsible+Disclosure+or+Full+Disclosure/9274/
• Bruce Schneier email newsletter: https://www.schneier.com/crypto-gram/archives/2001/1115.html
• Bruce Schneier article: https://www.schneier.com/essays/archives/2007/01/schneier_full_disclo.html

As a real world example of when this debate might come into play, look at the following CNN Money article on Apple's slow repair of some vulnerabilities: http://money.cnn.com/2015/04/22/technology/mac-security-flaw/index.html

Ethical Reasoning

When analyzing the vulnerability disclosure debate, we can use ethical reasoning tools. There are three common ethical approaches:

• Consequentialist approach - What are the results or consequences from each course of action? Keep in mind that ethically questionable decisions can result in good consequences, so this approach is not always sufficient on its own.
• Respect for persons (deotological) approach - Are people being treated as they deserve to be treated? Would you be okay if you were on the "receiving end" of the decision?
• Ethics of aspiration approach - Is the action/decision being considered consistent with what you aspire to be? How would you feel if your grandmother or mother heard about the action/decision? This approach focuses on good character and striving for excellence instead of rules.

1. Identification/recognition of dilemma - Identify issues and stakeholders
2. Analysis - Assess possible decisions/actions in terms of the above three ethical approaches. Keep in mind that legal does not always mean moral, and that there may be cultural differences in ethical analysis.
3. Justification - Look for convergence between multiple ethical approaches in the analysis stage. May require revisiting the analysis stage in hard cases, keeping in mind complete convergence is often not possible.
4. Decision/action - Make decision based on above stages. May not be a best possible course of action since there is often incomplete data available.

Assignment

1. Using Steps 1 and 2 above, analyze the vulnerability disclosure debate. Your analysis should include the pros and cons of each approach (e.g. what are the consequences of each approach).
2. Using your analysis, make an argument for full disclosure and against coordinated disclosure.
3. Using your analysis, make an argument for coordinated disclosure and against full disclosure.

Upload your responses to Moodle, either as a DOC, PDF, TXT, or ODT file or using the Moodle text box.