should vulnerability research be illegal ? What is appropriate ? What about pen testing ? Listen to this podcast I just published and share your thoughts ...https://www.buzzsprout.com/1312267/5646316-vulnerability-research-or-computer-fraud-abuse-pen-testing-or-breaking-entering

Question

should vulnerability research be illegal ?   What is appropriate ?  What about pen testing ?  Listen to this podcast I just published and share your thoughts ...https://www.buzzsprout.com/1312267/5646316-vulnerability-research-or-computer-fraud-abuse-pen-testing-or-breaking-entering

Answer

The law does not encourage experts with the skill to investigate cyberthreats to do so. However, vulnerability research is critical to understanding how vulnerabilities can be exploited by bad actors. The most basic moral concern in ethics is the duty to avoid knowingly or recklessly inflicting harm creating an innate “duty not to harm.” Research shows that if researchers do not engage in conduct that causes “harm” their conduct does not necessarily conflict with ethical and or legal considerations. Therefore, vulnerability research is neither unethical nor illegal.But creating effective defenses against cyberthreats requires researchers to master hacking activities such as network recognizance and vulnerability exploitation. Such research motivated activities are NOT inherently illegal or unethical. It is the misinterpretation of these activities and the lack of clear standards for such research that proves troublesome. The podcast spent considerable time discussing the concept of “breaking the term of service” as associated with vulnerability research and suggests that this could prevent lawful vulnerability research. I disagree with the podcast assertion that breaking the term of service could be a reason to NOT pursue vulnerability research. A decision from the 9th Circuit Court of Appeals suggest breaking terms of service is not a crime that someone can be prosecuted for. Adhering to a term of service should not prohibit organizations from finding/closing vulnerabilities and in turn sharing that research.