"Disclosing Software Vulnerabilities: An Ethical Perspective"

Securing software and other services requires the discovery of flaws and the implementation of corrective measures. The question is how to properly disclose vulnerabilities to vendors and the general public. Many researchers find vulnerabilities and have to disclose them. What is less well known is that such activities can have legal and ethical consequences that vary depending on how vulnerabilities are discovered, who is informed, and how the public is informed. Well-intentioned researchers work with vendors to improve the security of software products while minimizing the negative impact of allowing someone to exploit a vulnerability. However, in some countries, researchers face legal repercussions because their security research is considered criminal hacking. In others, it is unclear whether such research is permitted or protected. As a result, they may be unsure of how to act when they discover a vulnerability. Head of the Interdisciplinary Research on Sociotechnical Cybersecurity (IRiSC) at the University of Luxembourg, Professor Gabriele Lenzini, spoke on how researchers can safely disclose software vulnerabilities and get involved in the ethical debate surrounding the topic. This article continues to discuss the challenge of safely disclosing security vulnerabilities and the ethical debate regarding this challenge. 

University of Luxembourg reports "Disclosing Software Vulnerabilities: An Ethical Perspective"