This document discusses ethics in information security and vulnerability disclosure. It outlines 10 commandments of computer ethics focusing on avoiding harming others, respecting privacy and property. It also describes the vulnerability lifecycle from birth to death. Different types of vulnerability disclosure are explained, including non-disclosure, limited disclosure, full disclosure, and responsible disclosure. Responsible disclosure involves notifying the vendor, allowing time for a patch to be developed, then publicly disclosing technical details without exploit code. The benefits of responsible disclosure for researchers are noted. Potential issues with disclosure are acknowledged. Cybersecurity laws and the Budapest Convention are briefly mentioned.

1. Ethics in Information Security
By Milinda Wickramasinghe

2. Ethics

3. Ethics

4. Ethics

5. Why we need ethics in IT Security

6. Common unethical practice

7. Ten Commandments of Computer Ethics
1. Thou shalt not use a computer
to harm other people.
2. Thou shalt not interfere with
other people's computer work.
3. Thou shalt not snoop around in
other people's computer files.
4. Thou shalt not use a computer
to steal.
5. Thou shalt not use a computer
to bear false witness.
6. Thou shalt not copy or use
proprietary software for which
you have not paid.
7. Thou shalt not use other people's
computer resources without
authorization or proper
compensation.
8. Thou shalt not appropriate other
people's intellectual output.
9. Thou shalt think about the social
consequences of the program you
are writing or the system you are
designing.
10.Thou shalt always use a
computer in ways that insure
consideration and respect for
your fellow humans.

8. BIRTH DISCOVERY DISCLOSURE CORRECTION PUBLICITY DEATH
RISK
TIME
Vulnerability lifecycle

9. Vulnerability lifecycle
RISK
TIME

10. Types of disclosure
Non Disclosure
Never disclosed to general public
Once a vulnerability is found it is kept as a
secret and leveraged to exploit vulnerable
systems and gain benefits
Limited Disclosure
Vulnerability information is shared among a few
individuals (Discloser, Vendor and possibly,
Third party coordinator )
The initial public disclosure contains; the flawed
product & very few details about the
vulnerability
Does not contain full technical details
Will only be released once the vendor has fixed
the flaw
Full Disclosure
Full technical details of the vulnerability is
disclosed along with the exploit code
Without the consent of the vendor / author of
the code
Vendor is informed at the same time as the
general public
Responsible Disclosure
Discovery
Finds the vulnerability by Security Firm or
Researcher
Initial Contact
Notify the vendor - could get the help of a 3rd
party
Set reasonable deadline
Continued Communication
Vendor try to reproduce, the originator should
provide assistance
Patch Development
Vendor creates patches, test them and analyzes
further for more issues
Public disclosure
Technical details of the vulnerability is disclosed
without the exploit code
Exploit Release
Enters the scripting stage
Tools are developed

11. Responsible Disclosure - Benefits for the
researcher

12. What could possibly go wrong..?

13. Cyber Security Laws in Sri Lanka

14. Convention on Cybercrime - Budapest
Convention

15. Thank you.