At present, there is no generally accepted set of ethical guidelines for CVD. In the security response arena, work toward defining ethical guidelines is ongoing. The Forum of Incident Response and Security Teams (FIRST) has established a special interest group to develop a code of ethics for its member teams and liaisons (1). However, that does not imply that there is a complete absence of relevant guidance in the matter. Here we highlight some ethics advice from related sources.
Ethics in Related Professional Societies
Various computing-related professional societies have established their own codes of ethics. Each of these has application to CVD. The Association for Computing Machinery (ACM) Code of Ethics and Professional Conduct (2) includes the following general imperatives:
- Contribute to society and human well-being.
- Avoid harm to others.
- Be honest and trustworthy.
- Be fair and take action not to discriminate.
- Honor property rights including copyrights and patent.
- Give proper credit for intellectual property.
- Respect the privacy of others.
- Honor confidentiality.
The Usenix System Administrators' Code of Ethics (3) includes an ethical responsibility "to make decisions consistent with the safety, privacy, and well-being of my community and the public, and to disclose promptly factors that might pose unexamined risks or dangers."
In many ways, disclosing a vulnerability can be thought of as a form of journalistic reporting, in that "The purpose of journalism is … to provide citizens with the information they need to make the best possible decisions about their lives, their communities, their societies, and their governments." (4)
By analogy, vulnerability disclosure provides individuals and organizations with the information they need to make the best possible decisions about their products, their computing systems and networks, and the security of their information.
We find the four major principles offered by The Society of Professional Journalists Code of Ethics to be relevant to CVD as well (5):
- Seek truth and report it – Ethical journalism should be accurate and fair. Journalists should be honest and courageous in gathering, reporting and interpreting information.
- Minimize harm – Ethical journalism treats sources, subjects, colleagues and members of the public as human beings deserving of respect.
- Act independently – The highest and primary obligation of ethical journalism is to serve the public.
- Be accountable and transparent – Ethical journalism means taking responsibility for one's work and explaining one's decisions to the public.
- FIRST, "Ethics SIG," [Online]. Available: https://www.first.org/global/sigs/ethics. [Accessed 17 May 2017].
- Association for Computing Machinery, "ACM Code of Ethics and Professional Conduct," 16 October 1992. [Online]. Available: https://www.acm.org/about-acm/acm-code-of-ethics-and-professional-conduct. [Accessed 17 May 2017].
- USENIX, "System Administrators' Code of Ethics," 30 September 2003. [Online]. Available: https://www.usenix.org/system-administrators-code-ethics. [Accessed 17 May 2017].
- American Press Institute, "What is the purpose of journalism?" [Online]. Available: https://www.americanpressinstitute.org/journalism-essentials/what-is-journalism/purpose-journalism/. [Accessed 17 May 2017].
- Society of Professional Journalists, "SPJ Code of Ethics," 6 September 2014. [Online]. Available: https://www.spj.org/ethicscode.asp. [Accessed 17 May 2017].