Skip to content

Ethical Considerations

ethicsfIRST

The FIRST Ethics site addresses the following topics:

  • trustworthiness
  • coordinated vulnerability disclosure
  • confidentiality
  • acknowledgment
  • authorization
  • information
  • human rights
  • team health
  • team ability
  • responsible collection
  • jurisdictional boundaries
  • evidence-based reasoning

In the security response arena, work toward defining ethical guidelines is ongoing. The Forum of Incident Response and Security Teams (FIRST) has established an Ethics special interest group to develop a code of ethics for its member teams and liaisons.

FIRST Ethics SIG: Duty of coordinated vulnerability disclosure

Team members who learn of a vulnerability should follow coordinated vulnerability disclosure by cooperating with stakeholders to remediate or mitigate the security vulnerability and minimize harm associated with disclosure. Stakeholders include but are not limited to the vulnerability reporter, affected vendor(s), coordinators, defenders, and downstream customers, partners, and users.

Team members should coordinate with appropriate stakeholders to agree upon clear timelines and expectations for the release of information, providing enough details to allow users to evaluate their risk and take actionable defensive measures."

We also highlight some ethics advice from related sources.

Various computing-related professional societies have established their own codes of ethics. Each of these has some application to CVD. While we are not attempting to replicate their ethical guidelines, we do want to highlight that these codes exist and are relevant to the work of CVD.

Association for Computing Machinery (ACM) Code of Ethics and Professional Conduct

  • Contribute to society and to human well-being, acknowledging that all people are stakeholders in computing.
  • Avoid harm.
  • Be honest and trustworthy.
  • Be fair and take action not to discriminate.
  • Respect the work required to produce new ideas, inventions, creative works, and computing artifacts.
  • Respect privacy.
  • Honor confidentiality.

Usenix System Administrators' Code of Ethics

I will do my best to make decisions consistent with the safety, privacy, and well-being of my community and the public, and to disclose promptly factors that might pose unexamined risks or dangers.

Journalism Ethics

In many ways, disclosing a vulnerability can be thought of as a form of journalistic reporting, in that

American Press Association: Principles of Journalism

The central purpose of journalism is to provide citizens with accurate and reliable information they need to function in a free society.

By analogy, vulnerability disclosure provides individuals and organizations with the information they need to make the best possible decisions about their products, their computing systems and networks, and the security of their information.

We find the four major principles offered by The Society of Professional Journalists Code of Ethics to be relevant to CVD as well:

Society of Professional Journalists Code of Ethics

  • Seek truth and report it -- Ethical journalism should be accurate and fair. Journalists should be honest and courageous in gathering, reporting and interpreting information.
  • Minimize harm -- Ethical journalism treats sources, subjects, colleagues and members of the public as human beings deserving of respect.
  • Act independently -- The highest and primary obligation of ethical journalism is to serve the public.
  • Be accountable and transparent -- Ethical journalism means taking responsibility for one's work and explaining one's decisions to the public.