Chapter 5 Exercises: Ethics of Security Research
Exercise 1: Disclosure Model Comparison (Beginner)
Create a comparison table of the four main disclosure models (Coordinated Vulnerability Disclosure, Full Disclosure, Non-Disclosure, and Government Disclosure). For each model, list: a) How the vulnerability is reported b) Who benefits most from this model c) Who is most at risk from this model d) A real-world example where this model was used e) The primary ethical argument for and against it
Exercise 2: Ethical Framework Application (Beginner)
A researcher discovers a critical vulnerability in a popular video baby monitor that allows remote attackers to view and listen through the camera. The vendor has been notified but has not responded after 60 days. Apply each of the following ethical frameworks to determine what the researcher should do: a) Utilitarianism (greatest good for the greatest number) b) Deontological ethics (moral duty and rules) c) Virtue ethics (what would a virtuous researcher do?) d) Care ethics (protecting vulnerable parties)
Write a 200-word analysis for each framework and note where they agree and disagree.
Exercise 3: Disclosure Timeline Exercise (Beginner)
You discover a SQL injection vulnerability in a mid-size e-commerce company's website. The vulnerability allows access to customer credit card numbers. Create a detailed disclosure timeline that includes: a) Initial steps upon discovery b) How you will contact the vendor c) What information you will include in your initial report d) Follow-up milestones e) Conditions under which you would publish early or extend the deadline f) Final publication plan
Exercise 4: Vulnerability Market Economics (Beginner)
Using Zerodium's published price list and publicly available information about major bug bounty programs, create a comparison chart showing the price differential between selling a vulnerability to: a) The vendor's bug bounty program b) Zerodium c) Estimated black market value
Do this for the following vulnerability types: iOS remote code execution, Android remote code execution, Chrome sandbox escape, WhatsApp remote code execution, and Windows local privilege escalation. What conclusions can you draw about the economics of the vulnerability market?
Exercise 5: Personal Code of Ethics Draft (Beginner)
Write your initial personal code of ethics for security research. Your code should include at least eight principles covering: - How you will handle vulnerability discoveries - Your approach to disclosure - Your position on testing systems without explicit authorization - Your stance on vulnerability markets - How you will handle pressure from employers or clients to act unethically - Your commitment to ongoing ethical development
For each principle, write a brief explanation (2-3 sentences) of why you chose it.
Exercise 6: Scenario Analysis — Bug Bounty Edge Cases (Intermediate)
For each of the following bug bounty scenarios, analyze the ethical issues and recommend a course of action:
a) You find a critical vulnerability in a company's website, but the company does not have a bug bounty program or VDP. The only contact information available is a generic info@ email address.
b) You find a vulnerability in a bug bounty program's in-scope target that also affects an out-of-scope system. Exploiting the in-scope target causes the out-of-scope system to leak data.
c) You report a vulnerability through a bug bounty platform. Six months later, the vendor has not fixed it. Another researcher independently discovers and publishes the same vulnerability.
d) You find a vulnerability that the vendor's bug bounty program rewards at $500. You know that Zerodium would pay $100,000 for the same vulnerability. What ethical considerations should guide your decision?
e) During bug bounty research, you accidentally access real user data (email addresses and passwords). What should you do?
Exercise 7: Dual-Use Tool Assessment (Intermediate)
Evaluate the following security tools using a dual-use analysis framework. For each tool, rate its offensive vs. defensive utility, its potential for misuse, and whether you believe distribution restrictions would be appropriate:
a) Metasploit Framework b) Mimikatz c) Cobalt Strike d) Burp Suite e) Nmap f) John the Ripper g) Social Engineering Toolkit (SET) h) Wireshark
Write a 100-word justification for your two most controversial ratings.
Exercise 8: Google Project Zero Case Analysis (Intermediate)
Research three specific instances where Google Project Zero's 90-day disclosure deadline created controversy with a vendor. For each case: a) Describe the vulnerability b) Explain the vendor's position c) Explain Project Zero's position d) Analyze whether the 90-day deadline was appropriate in that specific case e) Suggest how the situation could have been handled better
Exercise 9: The Dan Kaminsky DNS Disclosure (Intermediate)
Research Dan Kaminsky's 2008 DNS vulnerability disclosure in detail. Write a 750-word analysis addressing: a) Why did Kaminsky choose coordinated disclosure rather than full disclosure? b) What made the multi-vendor coordination so challenging? c) How did the early leak of technical details (by Halvar Flake) affect the situation? d) What precedents did this disclosure set for future coordinated disclosures? e) Could the same approach work today? Why or why not?
Exercise 10: Ethics of Offensive Security Services (Intermediate)
The following companies sell offensive security capabilities. Research each and write a 200-word ethical assessment: a) NSO Group (Pegasus spyware) b) Hacking Team (surveillance tools) c) CrowdStrike (threat intelligence and incident response) d) Zerodium (exploit acquisition) e) Recorded Future (dark web monitoring)
For each, identify: who their customers are, what ethical guardrails they claim to have, and whether those guardrails have been effective.
Exercise 11: Wassenaar Scenario Analysis (Intermediate)
For each of the following scenarios, determine whether the activity would be restricted under the Wassenaar Arrangement's intrusion software provisions. Explain your reasoning.
a) A French researcher publishes a blog post with proof-of-concept code for a Windows zero-day b) A U.S. security company sells a penetration testing tool to a Japanese client c) A German researcher presents exploit techniques at a conference in the United States d) A UK company develops custom exploit tools for use by its own employees in penetration testing engagements worldwide e) An Australian researcher contributes a module to the open-source Metasploit Framework
Exercise 12: Whistleblower Protection Analysis (Intermediate)
A security researcher working at a large technology company discovers that their employer is deliberately ignoring a known vulnerability that affects millions of users because fixing it would be too expensive. The researcher reports the issue internally, but management refuses to act. Analyze: a) What legal protections exist for the researcher if they disclose the vulnerability externally? b) What ethical obligations does the researcher have? c) What risks does the researcher face? d) What would you advise the researcher to do?
Exercise 13: Developing a Vulnerability Disclosure Policy (Advanced)
Design a comprehensive Vulnerability Disclosure Policy (VDP) for MedSecure Health Systems. Your VDP should include: a) Scope definition (considering HIPAA-regulated systems) b) Safe harbor commitment c) Rules of engagement for researchers d) Reporting mechanism and expected response times e) Handling of PHI encountered during research f) Recognition and reward structure (if any) g) Legal language
Your VDP should be realistically implementable and compliant with HIPAA and DOJ guidance.
Exercise 14: Ethics Debate Preparation (Advanced)
Prepare arguments for a structured debate on one of the following propositions:
a) "Government agencies should be prohibited from purchasing zero-day vulnerabilities." b) "Full disclosure is more ethical than coordinated disclosure." c) "Exploit brokers like Zerodium provide a net benefit to cybersecurity." d) "Security researchers should be legally permitted to test any system without authorization, provided they report findings and cause no damage."
Prepare both the affirmative and negative positions (500 words each). Identify the strongest argument on each side and the weakest argument on each side.
Exercise 15: Case Study — The Shadow Brokers (Advanced)
Research the Shadow Brokers leak of NSA hacking tools (2016-2017). Write a 1,000-word analysis addressing: a) What tools and exploits were leaked? b) How did the leak lead to WannaCry and NotPetya? c) What does the incident reveal about the ethics of government vulnerability stockpiling? d) How should the VEP (Vulnerabilities Equities Process) be reformed in light of this incident? e) What responsibilities did Microsoft, the NSA, and the security community have in the aftermath?
Exercise 16: Responsible AI in Security Research (Advanced)
AI-powered security tools can now automatically discover and exploit vulnerabilities. Write a 750-word essay addressing: a) What unique ethical challenges do AI-powered vulnerability discovery tools create? b) How should existing disclosure norms be adapted for AI-discovered vulnerabilities? c) Should there be restrictions on the development or deployment of AI-powered offensive security tools? d) How do existing ethical frameworks (utilitarian, deontological, virtue ethics) apply to AI-driven security research?
Exercise 17: Comparative Disclosure Framework (Advanced)
Compare the vulnerability disclosure frameworks of three countries (e.g., Netherlands, United States, Japan). For each country: a) Describe the official government guidance on vulnerability disclosure b) Identify any legal safe harbors for researchers c) Assess how well the framework balances researcher rights with public safety d) Identify best practices that could be adopted by other countries
Write a 1,200-word comparative analysis with recommendations for a model international framework.
Exercise 18: Ethics of Social Engineering Research (Advanced)
Social engineering research raises unique ethical concerns because it involves manipulating human beings rather than computer systems. Write a 750-word analysis addressing: a) Is it ethical to conduct phishing simulations against employees during a penetration test? b) What safeguards should be in place to protect employees' dignity and psychological well-being? c) How should results be reported to avoid singling out individuals? d) Is there a meaningful ethical difference between social engineering in a pentest and social engineering in academic research?
Exercise 19: Building an Ethics Review Board (Advanced)
Design an Ethics Review Board for a penetration testing company. Your proposal should include: a) Membership composition (who should be on the board?) b) Review criteria (what types of activities should be reviewed?) c) Decision-making process d) Appeal mechanism e) Documentation requirements f) Relationship to legal compliance
Write a 500-word proposal with justification for your design choices.
Exercise 20: Comprehensive Ethical Analysis (Advanced)
Choose one of the following real-world incidents and conduct a comprehensive ethical analysis (1,500 words):
a) The Marcus Hutchins (MalwareTech) case — from WannaCry hero to federal charges b) The Moxie Marlinspike/Cellebrite disclosure — exposing law enforcement tool vulnerabilities c) The Apple vs. FBI encryption dispute (2016) d) The Kaseya/REvil ransomware incident and the FBI's delayed key release
Your analysis should: - Describe the facts of the incident - Identify all stakeholders and their interests - Apply at least three ethical frameworks - Evaluate the actions of each major party - Propose what should have been done differently (if anything) - Draw lessons for future security researchers