At present, there is no generally accepted set of ethical guidelines for CVD. In the security response arena, work toward defining ethical guidelines is ongoing. The Forum of Incident Response and Security Teams (FIRST) has established a special interest group to develop a code of ethics for its member teams and liaisons (1). However, that does not imply that there is a complete absence of relevant guidance in the matter. Here we highlight some ethics advice from related sources.

Ethics in Related Professional Societies

Various computing-related professional societies have established their own codes of ethics. Each of these has application to CVD. The Association for Computing Machinery (ACM) Code of Ethics and Professional Conduct (2) includes the following general imperatives:

The Usenix System Administrators' Code of Ethics (3) includes an ethical responsibility "to make decisions consistent with the safety, privacy, and well-being of my community and the public, and to disclose promptly factors that might pose unexamined risks or dangers."

Journalism Ethics

In many ways, disclosing a vulnerability can be thought of as a form of journalistic reporting, in that "The purpose of journalism is … to provide citizens with the information they need to make the best possible decisions about their lives, their communities, their societies, and their governments." (4)

By analogy, vulnerability disclosure provides individuals and organizations with the information they need to make the best possible decisions about their products, their computing systems and networks, and the security of their information.

We find the four major principles offered by The Society of Professional Journalists Code of Ethics to be relevant to CVD as well (5):

References

  1. FIRST, "Ethics SIG," [Online]. Available: https://www.first.org/global/sigs/ethics. [Accessed 17 May 2017].
  2. Association for Computing Machinery, "ACM Code of Ethics and Professional Conduct," 16 October 1992. [Online]. Available: https://www.acm.org/about-acm/acm-code-of-ethics-and-professional-conduct. [Accessed 17 May 2017].
  3. USENIX, "System Administrators' Code of Ethics," 30 September 2003. [Online]. Available: https://www.usenix.org/system-administrators-code-ethics. [Accessed 17 May 2017].
  4. American Press Institute, "What is the purpose of journalism?" [Online]. Available: https://www.americanpressinstitute.org/journalism-essentials/what-is-journalism/purpose-journalism/. [Accessed 17 May 2017].
  5. Society of Professional Journalists, "SPJ Code of Ethics," 6 September 2014. [Online]. Available: https://www.spj.org/ethicscode.asp. [Accessed 17 May 2017].