Is vulnerability research ethical?


Over the TaoSecurity blog you can find a good summary on the Bruce Schneier (nice poster btw) vs Marcus Ranum face-off regarding the ethicacy of vulnerability research (also read the comments, they are worth your time).

I fully agree with Bruce on this and think that Marcus is confusing two things: the act of finding the vulnerability and what you do after it. Just as law and justice are not the same thing (trivia: this is why Justitia, the roman god of justice is newer portrayed with a lawbook in her hands, although many people think this because they confuse it with the statue of liberty), vulnerability research and your disclosure method are not the same thing. Bruce Schneier summarizes nicely why it is important to have people who know how to break things:

When someone shows me a security design by someone I don’t know, my first question is, “What has the designer broken?” Anyone can design a security system that he cannot break. So when someone announces, “Here’s my security system, and I can’t break it,” your first reaction should be, “Who are you?” If he’s someone who has broken dozens of similar systems, his system is worth looking at. If he’s never broken anything, the chance is zero that it will be any good.

What you do with your knowledge (the main thing Marcus focuses on) is a separate thing. As long as you:

  • Try to contact the vendor/author first
  • Try to coordinate with them to make sure that the disclosure comes after the patch is available
  • Wait a reasonable amount of time before going public
  • Not sell/give information to people if their need for information is not well motivated (for example an IPS/IDS vendor)

I consider the action of disclosing a vulnerability (even with proof of concept code) ethical.


Leave a Reply

Your email address will not be published. Required fields are marked *