should vulnerability research be illegal ?   What is appropriate ?  What about pen testing ?   Listen to this podcast I just published and share your thoughts ...

215 views3 Upvotes1 Comment

Chief Information Officer in Healthcare and Biotech, 1,001 - 5,000 employees
The law does not encourage experts with the skill to investigate cyberthreats to do so. However, vulnerability research is critical to understanding how vulnerabilities can be exploited by bad actors. The most basic moral concern in ethics is the duty to avoid knowingly or recklessly inflicting harm creating an innate “duty not to harm.” Research shows that if researchers do not engage in conduct that causes “harm” their conduct does not necessarily conflict with ethical and or legal considerations. Therefore, vulnerability research is neither unethical nor illegal.

But creating effective defenses against cyberthreats requires researchers to master hacking activities such as network recognizance and vulnerability exploitation. Such research motivated activities are NOT inherently illegal or unethical. It is the misinterpretation of these activities and the lack of clear standards for such research that proves troublesome. The podcast spent considerable time discussing the concept of “breaking the term of service” as associated with vulnerability research and suggests that this could prevent lawful vulnerability research. I disagree with the podcast assertion that breaking the term of service could be a reason to NOT pursue vulnerability research. A decision from the 9th Circuit Court of Appeals suggest breaking terms of service is not a crime that someone can be prosecuted for. Adhering to a term of service should not prohibit organizations from finding/closing vulnerabilities and in turn sharing that research.

Content you might like

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
44.8k views132 Upvotes322 Comments

SANS newsletters24%

CISA-supported newsletters41%

Center for Internet Security (CIS) Newsletter44%

Schneier on Security19%

Brian Krebs23%


AWS Security Digest35%

MITRE 360 Newsletter5%

ChatGPT or variation15%

Elon Musk3%

Other (please share in comments)3%