Ask an Ethicist: Vulnerability Disclosure

Ask an Ethicist

Question: If an individual discovers a vulnerability that they believe is important, what is an ethical way to bring it to attention?

Vulnerability disclosure is a hotly debated topic in the security community. There are two wide-spread approaches: responsible disclosure and full disclosure. (There is also coordinated disclosure, which is a variant on responsible disclosure among several parties.) In responsible disclosure, the individual or group reporting the vulnerability contacts the party responsible for the affected software. Many companies have established programs for such reporting, some even offering financial rewards (see Google’s Vulnerability Reward Program or Microsoft’s Bug Bounty programs). Through this communication with the company, the vulnerability reporter agrees to keep the knowledge of the vulnerability secret for a given amount of time to give the company a chance to confirm the bug and to develop/test/deliver a patch.

Critics of responsible disclosure argue that it gives the companies too much freedom to ignore real problems. They can sweep it aside if they determine that it is too inconvenient or costly to fix. (This practice was common in the past, so this argument is not without merit or evidence.) As such, these critics tend to favor full disclosure. In full disclosure, the discoverer of the vulnerability announces it publicly without giving the company prior notice. This public announcement then creates pressure on the company to fix the problem as soon as possible to prevent it being exploited.

Responsible disclosure is the approach more consistent with the ACM Code of Ethics. By keeping the existence of the vulnerability secret for a longer amount of time, it reduces the chance of harm to others (Principle 1.2). It also supports more robust patching (Principles 2.1, 2.9, and 3.6), as the company can take more time to develop the patch and confirm that it will not induce unintended consequences. Full disclosure puts individuals at risk of harm sooner, and those harms may be irreversible and onerous (contravening Principles 1.2 and 3.1). As such, full disclosure should the exception and should only be used when attempts at responsible disclosure have failed. Furthermore, the individual committing to the full disclosure needs to consider carefully the risks that they are imposing on others and be willing to accept the moral and possibly legal consequences (Principles 2.3 and 2.5).