SlideShare a Scribd company logo
VULNERABILITIES AND ETHICS:
A CODE OF ETHICS FOR THE PRIVATE SECTOR
HITB GSEC Singapore 2016, August 22nd-26th
Alfonso De Gregorio, Zeronomicon
#VULNETHICS
@ZERONOMICON
Discuss
Agenda
1. The Vulnerability Supply Chain
2. The Surrounding Ethical Questions
3. Code of Ethics: Principles and Standards
4. Concluding Remarks and Debate
#VULNETHICS @ZERONOMICON
SUPPLY CHAIN
THE VULNERABILITIES
VULNERABILITIES ARE LIKE POLLUTANTS
INCENTIVES
IT’S WHY WE DO THINGS
VULNERABILITY DUMPING
UNRESTRAINED
VULNERABILITY DUMPING
UNRESTRAINED
INCENTIVE
PERVERSE
– David Rice
“patching allows software manufacturers
to optimize market and legal
protections by "re-negotiating" contract
terms buyers could not
negotiate in the first place”
ETHICAL QUESTIONS
THE SURROUNDING
THE MORAL LOW GROUND?
WHO HOLDS
THAT EXPLOIT US THE MOST?
WHO ARE THE ONES
IF OUR GOVERNMENTS INTRODUCE TRADE
CONTROLS TO ADMINISTER THE EXPORT OF
INTRUSION SOFTWARE, SHOULD WE DEMAND
SOFTWARE MANUFACTURERS TO INTERNALISE THE
COST OF THE INSECURE SOFTWARE THAT WE
IMPORT INTO OUR LIVES, FOR REASONS OF
SYMMETRY?
SHOULD WE MAKE THEM LIABLE FOR THE DEFECTS
AND FLAWS THAT ALLOW THE INTRUSION IN THE
FIRST PLACE?
WITH INCOMPLETE KNOWLEDGE ABOUT THE REAL-
WORLD SECURITY OF SYSTEMS WE ENTRUST OUR
BUSINESS, IS IT ETHICAL TO REFRAIN US FROM
HUNTING VULNERABILITIES OR PREVENT OTHERS
FROM DOING LIKEWISE?
AND, WHAT SHOULD DO A SECURITY RESEARCHER
WITH THE VULNERABILITIES WHEN THEY GET
FOUND?
IS FULL DISCLOSURE AN ACCEPTABLE COURSE OF
ACTION?
DOES FULL DISCLOSURE BECOMES MORE
ACCEPTABLE IF THE AFFECTED VENDOR IGNORES
THE VULNERABILITIES THAT WERE REPORTED
RESPONSIBLY OR FAILS TO PROVIDE A TIMELY
PATCH?
DOES COORDINATED VULNERABILITY DISCLOSURE
PROVIDE A MORE ETHICALLY SOUND PATH TO BE
TAKEN?
DOES THE SAME PATH REMAINS MORALLY
PREFERABLE IF ONE OF THE PARTIES, WHO RECEIVES
THE VULNERABILITY INFORMATION FROM THE
COORDINATOR PRIOR TO ITS PUBLIC DISCLOSURE,
DECIDES TO USE IT TO EXPLOIT VULNERABLE
ENTITIES?
ARE BUG BOUNTY PROGRAMS EXPLOITING BOUNTY
HUNTERS?
A Data Point
Target: Microsoft Outlook on the web (OWA)
Exploit: Remote Code Execution
Price: $200,000 USD
Expires on: November 30th, 2016

https://www.zeronomi.com/campaigns.html
SHOULD BUG HUNTERS PRETEND TO GET PAID IF
THE OTHER PARTY HAS NOT ASKED THEM TO DO
THEIR WORK?
WHAT GOVERNMENT SECURITY AGENCIES SHOULD
DO WITH VULNERABILITIES?
SHOULD THEY EXPLOIT THEM OR SHOULD THEY LET
EVERYBODY ELSE MITIGATE THEM, IN THE WAY THEY
ALREADY DO?
SHOULD THEY TAKE ADVANTAGE OF THOSE
VULNERABILITIES TO BENEFIT A LIMITED NUMBER
OF STAKEHOLDERS, OR SHOULD THEY DISCLOSE
THEM TO ALL AFFECTED CONSTITUENTS?
HAS THE POWER INEQUITY IN THE VULNERABILITY
EQUATION TO BE BALANCED?
WITH ENTITIES AFFECTED BY VULNERABILITIES
SPREAD ALL AROUND THE WORLD, HOW TO INFORM
THE PUBLIC?
WITH VENDORS THREATENING LEGAL ACTION AND
SUPPORTED BY THEIR SIGNIFICANT FINANCIAL
RESOURCES, HOW TO PROTECT THE SECURITY
RESEARCHERS?
WITH OUR SOCIETY GROWING MORE DATA
INTENSIVE, HOW TO OVERSEE NOT ONLY MATERIAL
AND TECHNOLOGY BUT ALSO KNOWLEDGE?
HOW DO THE ATTEMPTS TO STRIKE A BALANCE
BETWEEN SCIENTIFIC OPENNESS AND NATIONAL
SECURITY […] REDEFINE SCIENCE-SECURITY
RELATIONS?
HOW DOES SCIENTIFIC KNOWLEDGE BECOME
SUBJECT TO SECURITY GOVERNANCE?
HOW DOES THIS DYNAMIC AFFECT THE LINKS
AMONG SCIENTIFIC KNOWLEDGE, SECURITY
EXPERTISE AND POLITICAL DECISION?
CAN WE REGARD HACKING TO BE AN ETHICAL
PRACTICE AND CONDEMN, AT THE SAME TIME, THE
TRADE OF CAPABILITIES ENABLING THIS PRACTICE
AS IMMORAL?
CODE OF ETHICS
SIX PRINCIPLES
EIGHT STANDARDS
THE PRINCIPLES ARE
ASPIRATIONAL GOALS AIMED AT
GUIDING AND INSPIRING THE
CONDUCT OF BUSINESS
THE ETHICAL STANDARDS ARE
ENFORCEABLE RULES FOR THE
DAY-TO-DAY BUSINESS
OPERATIONS.
PRINCIPLE A: 

CLEAN HANDS
R e s p e c t a l l h u m a n r i g h t s
proclaimed by international human
rights treaties, including The
International Bill of Human Rights,
and strive to ensure no complicity in
any human rights abuses.
STANDARD 1: VETTING AND
MONITORING OF CUSTOMERS
Do not engage in any business with
entities known for abusing human
rights and reserves the right to
s u s p e n d o r c e a s e b u s i n e s s
operations with entities found to be
involved at a later time in human
rights abuses.
PRINCIPLE B: 

DO NOT POSE A DANGER TO
HUMAN HEALTH
Champion the health of human beings and
commit to do not enable your Customer entities
with capabilities that may pose a direct danger
to human health.
STANDARD 2: 

INADMISSIBLE CAPABILITIES
Do not engage in any trade of capabilities that
exploit vulnerabilities in medical devices or in
systems to which human life is entrusted, unless
the Vendor of the affected device or system is the
Acquiring Entity or the Acquiring Entity was
authorised by the Vendor to be the recipient of
the vulnerability disclosure process, vulnerability
information, or risk mitigation strategy.
STANDARD 3: 

TRADE SECRETS
You will never trade in stolen trade secrets, and
require your suppliers to certify that they have
independently found the vulnerability and
autonomously developed any related technology,
and that they are not employees of the targeted
software manufacturer, nor have they received
access to the confidential information through a
disclosure by the same.
PRINCIPLE C: 

AVOID CONFLICTS OF INTEREST
Strive to benefit those with whom you do
business and take care to avoid possible
conflicts of interest that could cause your
Company, its Employees, or Contractors to
pursue goals not in the interest of the
Company business peers.
STANDARD 4: 

OVEREXPLOITATION
You will protect the value of the traded capabilities.
You will specify the maximum number of entities to
which the same capabilities may be sold, within a
given time-frame (unless in case the capabilities are
intended for risk prevention).



Furthermore, you shall strive not to sell a
vulnerability to one party, and the technology to
defend against that vulnerability to another party
which is a likely target of the first.

STANDARD 5: 

UNINTENDED USE
Prohibit yourself, employees and contractors to use
the information or the capabilities, traded in the
fulfilment of the service, for the pursuit of personal
goals. Authorised personnel shall use such
capabilities only to test and validate them, and
more generally only for research and development
purposes.

PRINCIPLE D: 

OBEY THE LAW
Comply with all applicable legal requirements
and understands the major laws and
regulations that apply to your business,
including laws related to: trade controls, anti-
bribery, competition, trade secret, money
laundering and insider trading.
STANDARD 6: 

EXPORTING
Comply with trade laws controlling where
the you can send products and services,
strive to meet the criteria required to hold
export licenses, where applicable, and stay
alert to changes to the applicable export
licensing systems.
PRINCIPLE E: 

PRESERVE CONFIDENTIALITY
Protect the confidentiality of the identity of
entities you do business with and the the
confidentiality of the information and
intellectual properties received from, or
provided to, your business peers in the
fulfilment of your Service. At the same time,
recognize that the extent and limits of
confidentiality may be regulated by applicable
laws and regulations.
STANDARD 7: 

MAINTAINING CONFIDENTIALITY
At the extent and limits regulated by
applicable laws and regulations, preserve
the confidentiality of the identity of entities
you do business with. Restrict access to
the information and the intellectual property
received from or provided to your business
partners on a need-to-know basis,
enforcing a principle of least privilege
PRINCIPLE F: DOCTRINE OF
DOUBLE EFFECT AND DUAL USE
Acknowledge that the capabilities you provide may be used within
goods that, just like any and all information security tools, are
inherently dual purpose and potentially dual use, and therefore may
serve also military purposes, police investigations and the like; the
military use of the traded capabilities may have a double effect: the
intended effect and the foreseen but genuinely unintended
consequence. While discouraging against harmful side effects, you
acknowledge the inherent duality of the effects resulting from the
use of those capabilities and you trade them, unless they are in
conflict with other principles set forth in the present Ethics Code.
STANDARD 8: DUALITY
Acknowledge that the capabilities you provide can
be used within goods that are inherently dual
purpose and accept to supply them, as long as it is
foreseeable that those capabilities will be used only
for legitimate purposes in line with international
standards for the respect of human rights, and
unless their trade is in conflict with principles set
out in the present Ethics Code.
CONCLUDING REMARKS
AND DEBATE
– Ayn Rand
“Every aspect of Western culture needs a
new code of ethics — a rational ethics — as
a precondition of rebirth.”
Every aspect of the vulnerabilities
supply chain needs a new code of ethics
— a rational ethics — as a precondition
of rebirth.
– Earl Warren
“In a civilised life, law floats in a sea of
ethics.”
THANK YOU!
ANY QUESTIONS?
Vulnerabilities and their Surrounding Ethical Questions: A Code of Ethics for the Private Sector - HITB GSEC Singapore 2016

More Related Content

Viewers also liked

Design And Simulation of Modulation Schemes used for FPGA Based Software Defi...
Design And Simulation of Modulation Schemes used for FPGA Based Software Defi...Design And Simulation of Modulation Schemes used for FPGA Based Software Defi...
Design And Simulation of Modulation Schemes used for FPGA Based Software Defi...
Sucharita Saha
 
Public sector code of ethics-Implementation
Public sector code of ethics-ImplementationPublic sector code of ethics-Implementation
Public sector code of ethics-Implementation
neddy1990
 
Seminar report on Android wear
Seminar report on Android wearSeminar report on Android wear
Seminar report on Android wear
Arushi Gulati
 
Engineering ethics aylin sahin2
Engineering ethics aylin sahin2Engineering ethics aylin sahin2
Engineering ethics aylin sahin2
Aylin Sahin, PhD
 
Codes Of Ethics
Codes Of EthicsCodes Of Ethics
Codes Of Ethics
Interpreting
 
Comparing Private And Public Ethics
Comparing Private And Public EthicsComparing Private And Public Ethics
Comparing Private And Public Ethics
Alan D. Lewis II
 
Computer Network Security
Computer Network SecurityComputer Network Security
Computer Network Security
Bryley Systems Inc.
 
Principles for Managing Ethics in the Public Service
Principles for Managing Ethics in the Public ServicePrinciples for Managing Ethics in the Public Service
Principles for Managing Ethics in the Public Service
ed gbargaye
 
Ethics, ethical behaviour & code of ethics elluminate presentation
Ethics, ethical behaviour & code of ethics elluminate presentationEthics, ethical behaviour & code of ethics elluminate presentation
Ethics, ethical behaviour & code of ethics elluminate presentation
jaclynne
 
Codes of ethics
Codes of ethicsCodes of ethics
Codes of ethics
Eyelean xilef
 
Ethical Boundaries
Ethical BoundariesEthical Boundaries
Ethical Boundaries
payneje
 
Code of Ethics
Code of EthicsCode of Ethics
Code of Ethics
haroldtaylor1113
 
Ict role in agriculture
Ict role in agricultureIct role in agriculture
Ict role in agriculture
AIT
 
Private vs Public sector
Private vs Public sectorPrivate vs Public sector
Private vs Public sector
Jahanzeb Memon
 
Computer Ethics Presentation
Computer Ethics PresentationComputer Ethics Presentation
Computer Ethics Presentation
guest65a1c4
 
Code of ethics
Code of ethicsCode of ethics
Code of ethics
Joyita Dey
 
Computer ethics
Computer ethicsComputer ethics
Computer ethics
Jagan Nath
 
Code of ethics ppt
Code of ethics pptCode of ethics ppt
Code of ethics ppt
aneez103
 
Public And Private Sector In India
Public And Private Sector In IndiaPublic And Private Sector In India
Public And Private Sector In India
historica vision edu. pvt. ltd.
 
Computer hardware presentation
Computer hardware presentationComputer hardware presentation
Computer hardware presentation
Jisu Dasgupta
 

Viewers also liked (20)

Design And Simulation of Modulation Schemes used for FPGA Based Software Defi...
Design And Simulation of Modulation Schemes used for FPGA Based Software Defi...Design And Simulation of Modulation Schemes used for FPGA Based Software Defi...
Design And Simulation of Modulation Schemes used for FPGA Based Software Defi...
 
Public sector code of ethics-Implementation
Public sector code of ethics-ImplementationPublic sector code of ethics-Implementation
Public sector code of ethics-Implementation
 
Seminar report on Android wear
Seminar report on Android wearSeminar report on Android wear
Seminar report on Android wear
 
Engineering ethics aylin sahin2
Engineering ethics aylin sahin2Engineering ethics aylin sahin2
Engineering ethics aylin sahin2
 
Codes Of Ethics
Codes Of EthicsCodes Of Ethics
Codes Of Ethics
 
Comparing Private And Public Ethics
Comparing Private And Public EthicsComparing Private And Public Ethics
Comparing Private And Public Ethics
 
Computer Network Security
Computer Network SecurityComputer Network Security
Computer Network Security
 
Principles for Managing Ethics in the Public Service
Principles for Managing Ethics in the Public ServicePrinciples for Managing Ethics in the Public Service
Principles for Managing Ethics in the Public Service
 
Ethics, ethical behaviour & code of ethics elluminate presentation
Ethics, ethical behaviour & code of ethics elluminate presentationEthics, ethical behaviour & code of ethics elluminate presentation
Ethics, ethical behaviour & code of ethics elluminate presentation
 
Codes of ethics
Codes of ethicsCodes of ethics
Codes of ethics
 
Ethical Boundaries
Ethical BoundariesEthical Boundaries
Ethical Boundaries
 
Code of Ethics
Code of EthicsCode of Ethics
Code of Ethics
 
Ict role in agriculture
Ict role in agricultureIct role in agriculture
Ict role in agriculture
 
Private vs Public sector
Private vs Public sectorPrivate vs Public sector
Private vs Public sector
 
Computer Ethics Presentation
Computer Ethics PresentationComputer Ethics Presentation
Computer Ethics Presentation
 
Code of ethics
Code of ethicsCode of ethics
Code of ethics
 
Computer ethics
Computer ethicsComputer ethics
Computer ethics
 
Code of ethics ppt
Code of ethics pptCode of ethics ppt
Code of ethics ppt
 
Public And Private Sector In India
Public And Private Sector In IndiaPublic And Private Sector In India
Public And Private Sector In India
 
Computer hardware presentation
Computer hardware presentationComputer hardware presentation
Computer hardware presentation
 

Similar to Vulnerabilities and their Surrounding Ethical Questions: A Code of Ethics for the Private Sector - HITB GSEC Singapore 2016

The Vulnerability Supply Chain - HackIT Ukraine 2016, Kharkiv
The Vulnerability Supply Chain - HackIT Ukraine 2016, KharkivThe Vulnerability Supply Chain - HackIT Ukraine 2016, Kharkiv
The Vulnerability Supply Chain - HackIT Ukraine 2016, Kharkiv
a001
 
Andy, the Polluters, Rick Deckard, and Other Bounty Hunters
Vulnerabilities a...
Andy, the Polluters, Rick Deckard, and Other Bounty Hunters
Vulnerabilities a...Andy, the Polluters, Rick Deckard, and Other Bounty Hunters
Vulnerabilities a...
Andy, the Polluters, Rick Deckard, and Other Bounty Hunters
Vulnerabilities a...
a001
 
Ковбой Энди, Рик Декард и другие охотники за наградой
Ковбой Энди, Рик Декард и другие охотники за наградойКовбой Энди, Рик Декард и другие охотники за наградой
Ковбой Энди, Рик Декард и другие охотники за наградой
Positive Hack Days
 
proctecting trade secrets computer crimes
proctecting trade secrets computer crimesproctecting trade secrets computer crimes
proctecting trade secrets computer crimes
welcometofacebook
 
Your Best Practice Guide to Social Media and the Law
Your Best Practice Guide to Social Media and the LawYour Best Practice Guide to Social Media and the Law
Your Best Practice Guide to Social Media and the Law
Nexus Publishing
 
Trade secrets vs. confidential information
Trade secrets vs. confidential informationTrade secrets vs. confidential information
Trade secrets vs. confidential information
Altacit Global
 
Presentation_on_protection_of_reporting_persons_UNCAC_LP.ppt
Presentation_on_protection_of_reporting_persons_UNCAC_LP.pptPresentation_on_protection_of_reporting_persons_UNCAC_LP.ppt
Presentation_on_protection_of_reporting_persons_UNCAC_LP.ppt
FranciscoJoaoVitug
 
Mystery Shopping Inside the Ad-Verification Bubble
Mystery Shopping Inside the Ad-Verification BubbleMystery Shopping Inside the Ad-Verification Bubble
Mystery Shopping Inside the Ad-Verification Bubble
Shailin Dhar
 
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Raleigh ISSA
 
Consumer experience and protection in business
Consumer experience and protection in businessConsumer experience and protection in business
Consumer experience and protection in business
Aylín Muñoz Loaiza
 
SPRING BOARD DOCTRINE PPT
SPRING BOARD DOCTRINE PPTSPRING BOARD DOCTRINE PPT
SPRING BOARD DOCTRINE PPT
Suneeta Mohapatra
 
Un may 28, 2019
Un may 28, 2019Un may 28, 2019
Un may 28, 2019
ZahidManiyar
 
INTERPLAY OF ARTIFICIAL INTELLIGENCE ON TRADE SECRETS
INTERPLAY OF ARTIFICIAL INTELLIGENCE ON TRADE SECRETSINTERPLAY OF ARTIFICIAL INTELLIGENCE ON TRADE SECRETS
INTERPLAY OF ARTIFICIAL INTELLIGENCE ON TRADE SECRETS
IRJET Journal
 
Leveraging & Protecting Trade Secrets in the 21st Century (Series: Intellectu...
Leveraging & Protecting Trade Secrets in the 21st Century (Series: Intellectu...Leveraging & Protecting Trade Secrets in the 21st Century (Series: Intellectu...
Leveraging & Protecting Trade Secrets in the 21st Century (Series: Intellectu...
Financial Poise
 
FTC Protecting Info A Guide For Business Powerpoint
FTC  Protecting  Info A  Guide  For  Business  PowerpointFTC  Protecting  Info A  Guide  For  Business  Powerpoint
FTC Protecting Info A Guide For Business Powerpoint
Bucacci Business Solutions
 
Transnational organized crime
Transnational organized crime Transnational organized crime
Transnational organized crime
pdf uploader
 
Ipctoolkit shared by absoluteproducers
Ipctoolkit shared by absoluteproducersIpctoolkit shared by absoluteproducers
Ipctoolkit shared by absoluteproducers
Christian Dressel absoluteproducers
 
consumer protection act.pptx
consumer protection act.pptxconsumer protection act.pptx
consumer protection act.pptx
ketan349068
 
Trade secrete litigation
Trade secrete litigationTrade secrete litigation
Trade secrete litigation
Rajalingam Balakrishnan
 
New legal obligations and liability under MDR and IVDR
New legal obligations and liability under MDR and IVDRNew legal obligations and liability under MDR and IVDR
New legal obligations and liability under MDR and IVDR
Erik Vollebregt
 

Similar to Vulnerabilities and their Surrounding Ethical Questions: A Code of Ethics for the Private Sector - HITB GSEC Singapore 2016 (20)

The Vulnerability Supply Chain - HackIT Ukraine 2016, Kharkiv
The Vulnerability Supply Chain - HackIT Ukraine 2016, KharkivThe Vulnerability Supply Chain - HackIT Ukraine 2016, Kharkiv
The Vulnerability Supply Chain - HackIT Ukraine 2016, Kharkiv
 
Andy, the Polluters, Rick Deckard, and Other Bounty Hunters
Vulnerabilities a...
Andy, the Polluters, Rick Deckard, and Other Bounty Hunters
Vulnerabilities a...Andy, the Polluters, Rick Deckard, and Other Bounty Hunters
Vulnerabilities a...
Andy, the Polluters, Rick Deckard, and Other Bounty Hunters
Vulnerabilities a...
 
Ковбой Энди, Рик Декард и другие охотники за наградой
Ковбой Энди, Рик Декард и другие охотники за наградойКовбой Энди, Рик Декард и другие охотники за наградой
Ковбой Энди, Рик Декард и другие охотники за наградой
 
proctecting trade secrets computer crimes
proctecting trade secrets computer crimesproctecting trade secrets computer crimes
proctecting trade secrets computer crimes
 
Your Best Practice Guide to Social Media and the Law
Your Best Practice Guide to Social Media and the LawYour Best Practice Guide to Social Media and the Law
Your Best Practice Guide to Social Media and the Law
 
Trade secrets vs. confidential information
Trade secrets vs. confidential informationTrade secrets vs. confidential information
Trade secrets vs. confidential information
 
Presentation_on_protection_of_reporting_persons_UNCAC_LP.ppt
Presentation_on_protection_of_reporting_persons_UNCAC_LP.pptPresentation_on_protection_of_reporting_persons_UNCAC_LP.ppt
Presentation_on_protection_of_reporting_persons_UNCAC_LP.ppt
 
Mystery Shopping Inside the Ad-Verification Bubble
Mystery Shopping Inside the Ad-Verification BubbleMystery Shopping Inside the Ad-Verification Bubble
Mystery Shopping Inside the Ad-Verification Bubble
 
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
 
Consumer experience and protection in business
Consumer experience and protection in businessConsumer experience and protection in business
Consumer experience and protection in business
 
SPRING BOARD DOCTRINE PPT
SPRING BOARD DOCTRINE PPTSPRING BOARD DOCTRINE PPT
SPRING BOARD DOCTRINE PPT
 
Un may 28, 2019
Un may 28, 2019Un may 28, 2019
Un may 28, 2019
 
INTERPLAY OF ARTIFICIAL INTELLIGENCE ON TRADE SECRETS
INTERPLAY OF ARTIFICIAL INTELLIGENCE ON TRADE SECRETSINTERPLAY OF ARTIFICIAL INTELLIGENCE ON TRADE SECRETS
INTERPLAY OF ARTIFICIAL INTELLIGENCE ON TRADE SECRETS
 
Leveraging & Protecting Trade Secrets in the 21st Century (Series: Intellectu...
Leveraging & Protecting Trade Secrets in the 21st Century (Series: Intellectu...Leveraging & Protecting Trade Secrets in the 21st Century (Series: Intellectu...
Leveraging & Protecting Trade Secrets in the 21st Century (Series: Intellectu...
 
FTC Protecting Info A Guide For Business Powerpoint
FTC  Protecting  Info A  Guide  For  Business  PowerpointFTC  Protecting  Info A  Guide  For  Business  Powerpoint
FTC Protecting Info A Guide For Business Powerpoint
 
Transnational organized crime
Transnational organized crime Transnational organized crime
Transnational organized crime
 
Ipctoolkit shared by absoluteproducers
Ipctoolkit shared by absoluteproducersIpctoolkit shared by absoluteproducers
Ipctoolkit shared by absoluteproducers
 
consumer protection act.pptx
consumer protection act.pptxconsumer protection act.pptx
consumer protection act.pptx
 
Trade secrete litigation
Trade secrete litigationTrade secrete litigation
Trade secrete litigation
 
New legal obligations and liability under MDR and IVDR
New legal obligations and liability under MDR and IVDRNew legal obligations and liability under MDR and IVDR
New legal obligations and liability under MDR and IVDR
 

More from a001

Deliberately Un-Dependable Applications: the Role of Dependability Metrics in...
Deliberately Un-Dependable Applications: the Role of Dependability Metrics in...Deliberately Un-Dependable Applications: the Role of Dependability Metrics in...
Deliberately Un-Dependable Applications: the Role of Dependability Metrics in...
a001
 
The Bazaar, the Maharaja’s Ultimatum, and the Shadow of the Future: Extortion...
The Bazaar, the Maharaja’s Ultimatum, and the Shadow of the Future: Extortion...The Bazaar, the Maharaja’s Ultimatum, and the Shadow of the Future: Extortion...
The Bazaar, the Maharaja’s Ultimatum, and the Shadow of the Future: Extortion...
a001
 
illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)
illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)
illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)
a001
 
The Bazaar, the Maharaja’s Ultimatum, and the Shadow of the Future: Extortion...
The Bazaar, the Maharaja’s Ultimatum, and the Shadow of the Future: Extortion...The Bazaar, the Maharaja’s Ultimatum, and the Shadow of the Future: Extortion...
The Bazaar, the Maharaja’s Ultimatum, and the Shadow of the Future: Extortion...
a001
 
illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit
illusoryTLS: Nobody But Us Impersonate, Tamper, ExploitillusoryTLS: Nobody But Us Impersonate, Tamper, Exploit
illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit
a001
 
Auscert20150daymarket
Auscert20150daymarketAuscert20150daymarket
Auscert20150daymarket
a001
 
The Bazaar, the Maharaja's Ultimatum, and the Shadow of the Future: Extortion...
The Bazaar, the Maharaja's Ultimatum, and the Shadow of the Future: Extortion...The Bazaar, the Maharaja's Ultimatum, and the Shadow of the Future: Extortion...
The Bazaar, the Maharaja's Ultimatum, and the Shadow of the Future: Extortion...
a001
 
illusoryTLS: Impersonate, Tamper, and Exploit
illusoryTLS: Impersonate, Tamper, and ExploitillusoryTLS: Impersonate, Tamper, and Exploit
illusoryTLS: Impersonate, Tamper, and Exploit
a001
 
Cryptographic Key Reliable Lifetimes - Bounding the Risk of Key Exposure in t...
Cryptographic Key Reliable Lifetimes - Bounding the Risk of Key Exposure in t...Cryptographic Key Reliable Lifetimes - Bounding the Risk of Key Exposure in t...
Cryptographic Key Reliable Lifetimes - Bounding the Risk of Key Exposure in t...
a001
 

More from a001 (9)

Deliberately Un-Dependable Applications: the Role of Dependability Metrics in...
Deliberately Un-Dependable Applications: the Role of Dependability Metrics in...Deliberately Un-Dependable Applications: the Role of Dependability Metrics in...
Deliberately Un-Dependable Applications: the Role of Dependability Metrics in...
 
The Bazaar, the Maharaja’s Ultimatum, and the Shadow of the Future: Extortion...
The Bazaar, the Maharaja’s Ultimatum, and the Shadow of the Future: Extortion...The Bazaar, the Maharaja’s Ultimatum, and the Shadow of the Future: Extortion...
The Bazaar, the Maharaja’s Ultimatum, and the Shadow of the Future: Extortion...
 
illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)
illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)
illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)
 
The Bazaar, the Maharaja’s Ultimatum, and the Shadow of the Future: Extortion...
The Bazaar, the Maharaja’s Ultimatum, and the Shadow of the Future: Extortion...The Bazaar, the Maharaja’s Ultimatum, and the Shadow of the Future: Extortion...
The Bazaar, the Maharaja’s Ultimatum, and the Shadow of the Future: Extortion...
 
illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit
illusoryTLS: Nobody But Us Impersonate, Tamper, ExploitillusoryTLS: Nobody But Us Impersonate, Tamper, Exploit
illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit
 
Auscert20150daymarket
Auscert20150daymarketAuscert20150daymarket
Auscert20150daymarket
 
The Bazaar, the Maharaja's Ultimatum, and the Shadow of the Future: Extortion...
The Bazaar, the Maharaja's Ultimatum, and the Shadow of the Future: Extortion...The Bazaar, the Maharaja's Ultimatum, and the Shadow of the Future: Extortion...
The Bazaar, the Maharaja's Ultimatum, and the Shadow of the Future: Extortion...
 
illusoryTLS: Impersonate, Tamper, and Exploit
illusoryTLS: Impersonate, Tamper, and ExploitillusoryTLS: Impersonate, Tamper, and Exploit
illusoryTLS: Impersonate, Tamper, and Exploit
 
Cryptographic Key Reliable Lifetimes - Bounding the Risk of Key Exposure in t...
Cryptographic Key Reliable Lifetimes - Bounding the Risk of Key Exposure in t...Cryptographic Key Reliable Lifetimes - Bounding the Risk of Key Exposure in t...
Cryptographic Key Reliable Lifetimes - Bounding the Risk of Key Exposure in t...
 

Recently uploaded

“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
SitimaJohn
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
Wouter Lemaire
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 

Recently uploaded (20)

“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 

Vulnerabilities and their Surrounding Ethical Questions: A Code of Ethics for the Private Sector - HITB GSEC Singapore 2016

  • 1. VULNERABILITIES AND ETHICS: A CODE OF ETHICS FOR THE PRIVATE SECTOR HITB GSEC Singapore 2016, August 22nd-26th Alfonso De Gregorio, Zeronomicon
  • 3. Agenda 1. The Vulnerability Supply Chain 2. The Surrounding Ethical Questions 3. Code of Ethics: Principles and Standards 4. Concluding Remarks and Debate #VULNETHICS @ZERONOMICON
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 15.
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
  • 31.
  • 32.
  • 33.
  • 34.
  • 35.
  • 36.
  • 37.
  • 38.
  • 39.
  • 40.
  • 41.
  • 42.
  • 43.
  • 44.
  • 45.
  • 46.
  • 47.
  • 48.
  • 50. – David Rice “patching allows software manufacturers to optimize market and legal protections by "re-negotiating" contract terms buyers could not negotiate in the first place”
  • 51.
  • 52.
  • 53.
  • 54.
  • 55.
  • 56.
  • 57.
  • 58.
  • 59.
  • 60.
  • 61.
  • 62.
  • 63.
  • 64.
  • 65.
  • 66.
  • 68.
  • 69.
  • 70.
  • 71.
  • 72. THE MORAL LOW GROUND? WHO HOLDS
  • 73. THAT EXPLOIT US THE MOST? WHO ARE THE ONES
  • 74. IF OUR GOVERNMENTS INTRODUCE TRADE CONTROLS TO ADMINISTER THE EXPORT OF INTRUSION SOFTWARE, SHOULD WE DEMAND SOFTWARE MANUFACTURERS TO INTERNALISE THE COST OF THE INSECURE SOFTWARE THAT WE IMPORT INTO OUR LIVES, FOR REASONS OF SYMMETRY?
  • 75. SHOULD WE MAKE THEM LIABLE FOR THE DEFECTS AND FLAWS THAT ALLOW THE INTRUSION IN THE FIRST PLACE?
  • 76. WITH INCOMPLETE KNOWLEDGE ABOUT THE REAL- WORLD SECURITY OF SYSTEMS WE ENTRUST OUR BUSINESS, IS IT ETHICAL TO REFRAIN US FROM HUNTING VULNERABILITIES OR PREVENT OTHERS FROM DOING LIKEWISE?
  • 77. AND, WHAT SHOULD DO A SECURITY RESEARCHER WITH THE VULNERABILITIES WHEN THEY GET FOUND?
  • 78. IS FULL DISCLOSURE AN ACCEPTABLE COURSE OF ACTION?
  • 79. DOES FULL DISCLOSURE BECOMES MORE ACCEPTABLE IF THE AFFECTED VENDOR IGNORES THE VULNERABILITIES THAT WERE REPORTED RESPONSIBLY OR FAILS TO PROVIDE A TIMELY PATCH?
  • 80. DOES COORDINATED VULNERABILITY DISCLOSURE PROVIDE A MORE ETHICALLY SOUND PATH TO BE TAKEN?
  • 81. DOES THE SAME PATH REMAINS MORALLY PREFERABLE IF ONE OF THE PARTIES, WHO RECEIVES THE VULNERABILITY INFORMATION FROM THE COORDINATOR PRIOR TO ITS PUBLIC DISCLOSURE, DECIDES TO USE IT TO EXPLOIT VULNERABLE ENTITIES?
  • 82. ARE BUG BOUNTY PROGRAMS EXPLOITING BOUNTY HUNTERS?
  • 83. A Data Point Target: Microsoft Outlook on the web (OWA) Exploit: Remote Code Execution Price: $200,000 USD Expires on: November 30th, 2016
 https://www.zeronomi.com/campaigns.html
  • 84. SHOULD BUG HUNTERS PRETEND TO GET PAID IF THE OTHER PARTY HAS NOT ASKED THEM TO DO THEIR WORK?
  • 85. WHAT GOVERNMENT SECURITY AGENCIES SHOULD DO WITH VULNERABILITIES?
  • 86. SHOULD THEY EXPLOIT THEM OR SHOULD THEY LET EVERYBODY ELSE MITIGATE THEM, IN THE WAY THEY ALREADY DO?
  • 87. SHOULD THEY TAKE ADVANTAGE OF THOSE VULNERABILITIES TO BENEFIT A LIMITED NUMBER OF STAKEHOLDERS, OR SHOULD THEY DISCLOSE THEM TO ALL AFFECTED CONSTITUENTS?
  • 88. HAS THE POWER INEQUITY IN THE VULNERABILITY EQUATION TO BE BALANCED?
  • 89. WITH ENTITIES AFFECTED BY VULNERABILITIES SPREAD ALL AROUND THE WORLD, HOW TO INFORM THE PUBLIC?
  • 90. WITH VENDORS THREATENING LEGAL ACTION AND SUPPORTED BY THEIR SIGNIFICANT FINANCIAL RESOURCES, HOW TO PROTECT THE SECURITY RESEARCHERS?
  • 91. WITH OUR SOCIETY GROWING MORE DATA INTENSIVE, HOW TO OVERSEE NOT ONLY MATERIAL AND TECHNOLOGY BUT ALSO KNOWLEDGE?
  • 92. HOW DO THE ATTEMPTS TO STRIKE A BALANCE BETWEEN SCIENTIFIC OPENNESS AND NATIONAL SECURITY […] REDEFINE SCIENCE-SECURITY RELATIONS?
  • 93. HOW DOES SCIENTIFIC KNOWLEDGE BECOME SUBJECT TO SECURITY GOVERNANCE?
  • 94. HOW DOES THIS DYNAMIC AFFECT THE LINKS AMONG SCIENTIFIC KNOWLEDGE, SECURITY EXPERTISE AND POLITICAL DECISION?
  • 95. CAN WE REGARD HACKING TO BE AN ETHICAL PRACTICE AND CONDEMN, AT THE SAME TIME, THE TRADE OF CAPABILITIES ENABLING THIS PRACTICE AS IMMORAL?
  • 98. THE PRINCIPLES ARE ASPIRATIONAL GOALS AIMED AT GUIDING AND INSPIRING THE CONDUCT OF BUSINESS
  • 99. THE ETHICAL STANDARDS ARE ENFORCEABLE RULES FOR THE DAY-TO-DAY BUSINESS OPERATIONS.
  • 100. PRINCIPLE A: 
 CLEAN HANDS R e s p e c t a l l h u m a n r i g h t s proclaimed by international human rights treaties, including The International Bill of Human Rights, and strive to ensure no complicity in any human rights abuses.
  • 101. STANDARD 1: VETTING AND MONITORING OF CUSTOMERS Do not engage in any business with entities known for abusing human rights and reserves the right to s u s p e n d o r c e a s e b u s i n e s s operations with entities found to be involved at a later time in human rights abuses.
  • 102. PRINCIPLE B: 
 DO NOT POSE A DANGER TO HUMAN HEALTH Champion the health of human beings and commit to do not enable your Customer entities with capabilities that may pose a direct danger to human health.
  • 103. STANDARD 2: 
 INADMISSIBLE CAPABILITIES Do not engage in any trade of capabilities that exploit vulnerabilities in medical devices or in systems to which human life is entrusted, unless the Vendor of the affected device or system is the Acquiring Entity or the Acquiring Entity was authorised by the Vendor to be the recipient of the vulnerability disclosure process, vulnerability information, or risk mitigation strategy.
  • 104. STANDARD 3: 
 TRADE SECRETS You will never trade in stolen trade secrets, and require your suppliers to certify that they have independently found the vulnerability and autonomously developed any related technology, and that they are not employees of the targeted software manufacturer, nor have they received access to the confidential information through a disclosure by the same.
  • 105.
  • 106. PRINCIPLE C: 
 AVOID CONFLICTS OF INTEREST Strive to benefit those with whom you do business and take care to avoid possible conflicts of interest that could cause your Company, its Employees, or Contractors to pursue goals not in the interest of the Company business peers.
  • 107. STANDARD 4: 
 OVEREXPLOITATION You will protect the value of the traded capabilities. You will specify the maximum number of entities to which the same capabilities may be sold, within a given time-frame (unless in case the capabilities are intended for risk prevention).
 
 Furthermore, you shall strive not to sell a vulnerability to one party, and the technology to defend against that vulnerability to another party which is a likely target of the first.

  • 108. STANDARD 5: 
 UNINTENDED USE Prohibit yourself, employees and contractors to use the information or the capabilities, traded in the fulfilment of the service, for the pursuit of personal goals. Authorised personnel shall use such capabilities only to test and validate them, and more generally only for research and development purposes.

  • 109. PRINCIPLE D: 
 OBEY THE LAW Comply with all applicable legal requirements and understands the major laws and regulations that apply to your business, including laws related to: trade controls, anti- bribery, competition, trade secret, money laundering and insider trading.
  • 110. STANDARD 6: 
 EXPORTING Comply with trade laws controlling where the you can send products and services, strive to meet the criteria required to hold export licenses, where applicable, and stay alert to changes to the applicable export licensing systems.
  • 111. PRINCIPLE E: 
 PRESERVE CONFIDENTIALITY Protect the confidentiality of the identity of entities you do business with and the the confidentiality of the information and intellectual properties received from, or provided to, your business peers in the fulfilment of your Service. At the same time, recognize that the extent and limits of confidentiality may be regulated by applicable laws and regulations.
  • 112. STANDARD 7: 
 MAINTAINING CONFIDENTIALITY At the extent and limits regulated by applicable laws and regulations, preserve the confidentiality of the identity of entities you do business with. Restrict access to the information and the intellectual property received from or provided to your business partners on a need-to-know basis, enforcing a principle of least privilege
  • 113. PRINCIPLE F: DOCTRINE OF DOUBLE EFFECT AND DUAL USE Acknowledge that the capabilities you provide may be used within goods that, just like any and all information security tools, are inherently dual purpose and potentially dual use, and therefore may serve also military purposes, police investigations and the like; the military use of the traded capabilities may have a double effect: the intended effect and the foreseen but genuinely unintended consequence. While discouraging against harmful side effects, you acknowledge the inherent duality of the effects resulting from the use of those capabilities and you trade them, unless they are in conflict with other principles set forth in the present Ethics Code.
  • 114. STANDARD 8: DUALITY Acknowledge that the capabilities you provide can be used within goods that are inherently dual purpose and accept to supply them, as long as it is foreseeable that those capabilities will be used only for legitimate purposes in line with international standards for the respect of human rights, and unless their trade is in conflict with principles set out in the present Ethics Code.
  • 116.
  • 117. – Ayn Rand “Every aspect of Western culture needs a new code of ethics — a rational ethics — as a precondition of rebirth.”
  • 118. Every aspect of the vulnerabilities supply chain needs a new code of ethics — a rational ethics — as a precondition of rebirth.
  • 119.
  • 120. – Earl Warren “In a civilised life, law floats in a sea of ethics.”