At present, there is no generally accepted set of ethical guidelines for CVD. In the security response arena, work toward defining ethical guidelines is ongoing. The Forum of Incident Response and Security Teams (FIRST) has established a special interest group to develop a code of ethics for its member teams and liaisons ([1)]. However, that does not imply that there is a complete absence of relevant guidance in the matter. Here we highlight some ethics advice from related sources.
Various computing-related professional societies have established their own codes of ethics. Each of these has application to CVD. The Association for Computing Machinery (ACM) Code of Ethics and Professional Conduct ([2) ] includes the following general imperatives:
The Usenix System Administrators' Code of Ethics ([3) ] includes an ethical responsibility "to make decisions consistent with the safety, privacy, and well-being of my community and the public, and to disclose promptly factors that might pose unexamined risks or dangers."
In many ways, disclosing a vulnerability can be thought of as a form of journalistic reporting, in that "The purpose of journalism is … to provide citizens with the information they need to make the best possible decisions about their lives, their communities, their societies, and their governments." ([4)]
By analogy, vulnerability disclosure provides individuals and organizations with the information they need to make the best possible decisions about their products, their computing systems and networks, and the security of their information.
We find the four major principles offered by The Society of Professional Journalists Code of Ethics to be relevant to CVD as well ([5)]:
- Seek truth and report it – Ethical journalism should be accurate and fair. Journalists should be honest and courageous in gathering, reporting and interpreting information.
- Minimize harm – Ethical journalism treats sources, subjects, colleagues and members of the public as human beings deserving of respect.
- Act independently – The highest and primary obligation of ethical journalism is to serve the public.
- Be accountable and transparent – Ethical journalism means taking responsibility for one's work and explaining one's decisions to the public.