Further Reading: Chapter 5 — Ethics of Security Research

Essential Reading

Books on Hacking Ethics and Culture

Levy, Steven. Hackers: Heroes of the Computer Revolution (25th Anniversary Edition, O'Reilly Media, 2010). The classic history of hacker culture, from the MIT AI Lab in the 1950s to the open-source movement. Levy's articulation of the "hacker ethic" — access to computers should be unlimited, information should be free, authority should be distrusted — provides essential context for understanding the ethical debates in modern security research. Why read this: Understanding the cultural roots of hacker ethics helps you understand why the disclosure debate is so passionate.

Poulsen, Kevin. Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground (Crown, 2011). The story of Max Butler (Max Vision), a talented security researcher who crossed the line into criminal hacking. Poulsen, himself a former hacker turned journalist, provides an unflinching look at the ethical compromises that lead researchers astray. Why read this: A cautionary tale about the slippery slope from security research to cybercrime.

Zetter, Kim. Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (Crown, 2014). The definitive account of Stuxnet, the U.S.-Israeli cyberweapon that targeted Iran's nuclear program. Zetter examines the ethical, legal, and strategic implications of nation-state offensive cyber operations. Why read this: Stuxnet is the most significant example of weaponized vulnerability exploitation by a government, raising profound ethical questions about state-sponsored hacking.

Schneier, Bruce. Click Here to Kill Everybody: Security and Survival in a Hyper-connected World (W.W. Norton, 2018). Schneier examines the security implications of the Internet of Things and argues for stronger regulation of cybersecurity. His chapter on the ethics of vulnerability research and disclosure is particularly relevant. Why read this: Schneier is one of the most influential voices in cybersecurity policy, and this book contextualizes vulnerability ethics within broader societal concerns.

Disclosure Policy and Practice

Arora, Ashish, Rahul Telang, and Hao Xu. "Optimal Policy for Software Vulnerability Disclosure." Management Science 54, no. 4 (2008): 642-656. An economic analysis of vulnerability disclosure policies, comparing the incentive effects of different disclosure regimes. The authors develop a formal model showing when full disclosure, coordinated disclosure, and vendor-controlled disclosure produce the best outcomes for users. Why read this: Provides rigorous analytical foundations for the disclosure debate.

Householder, Allen D., Garret Wassermann, Art Manion, and Chris King. "The CERT Guide to Coordinated Vulnerability Disclosure." Carnegie Mellon University, Software Engineering Institute, 2017 (CMU/SEI-2017-SR-022). The most comprehensive practical guide to coordinated vulnerability disclosure, written by the team that has coordinated more disclosures than any other organization. Covers the entire process from discovery to publication. Why read this: The definitive practitioner's guide to CVD.

Moussouris, Katie and Siegel, Matthew. "The Wolves of Vuln Street: The 1st Rule of Bug Bounty." 2016. An analysis of the economics and ethics of bug bounty programs by one of the pioneers of the bug bounty movement. Moussouris, who created Microsoft's bug bounty program and later founded Luta Security, provides insider perspective on the challenges and opportunities of bounty programs. Why read this: Practical wisdom from someone who has shaped the modern bug bounty ecosystem.

Vulnerability Markets and Government Hacking

Fidler, Mailyn. "Regulating the Zero-Day Vulnerability Trade: A Preliminary Analysis." I/S: A Journal of Law and Policy for the Information Society 11, no. 2 (2015): 405-480. A comprehensive legal and policy analysis of the zero-day vulnerability market, examining existing regulatory frameworks and proposing new approaches. Why read this: The most thorough academic treatment of the vulnerability market's legal and ethical dimensions.

Healey, Jason (ed.). A Fierce Domain: Conflict in Cyberspace, 1986 to 2012 (Cyber Conflict Studies Association, 2013). A history of cyber conflict that includes detailed analysis of the evolving relationship between security researchers, governments, and the vulnerability market. Why read this: Historical context for understanding why governments buy vulnerabilities and how the market has evolved.

Perlroth, Nicole. This Is How They Tell Me the World Ends: The Cyberweapons Arms Race (Bloomsbury, 2021). A journalist's investigation into the global market for zero-day exploits, from Silicon Valley hackers to government spy agencies. Perlroth provides unprecedented access to the individuals and organizations that buy, sell, and stockpile cyber weapons. Why read this: The most accessible and comprehensive account of the vulnerability market's human dimension.

Ethical Frameworks

Applied Ethics in Technology

Vallor, Shannon. Technology and the Virtues: A Philosophical Guide to a Future Worth Wanting (Oxford University Press, 2016). A virtue ethics approach to technology ethics, including specific discussion of how virtue ethics applies to cybersecurity and hacking. Why read this: Provides the philosophical depth needed to reason about ethical dilemmas that simple rules cannot resolve.

Floridi, Luciano. The Ethics of Information (Oxford University Press, 2013). A comprehensive philosophical framework for information ethics, including the ethics of information creation, processing, and distribution. Relevant to questions about vulnerability information disclosure. Why read this: The most rigorous philosophical treatment of information ethics, applicable to disclosure questions.

Professional Ethics

ISC2. "Code of Ethics." The full text of the ISC2 Code of Ethics, required for CISSP and related certification holders. Available on the ISC2 website. Why read this: The most widely adopted professional code of ethics in cybersecurity.

ACM. "Code of Ethics and Professional Conduct." The Association for Computing Machinery's code, which provides a broader framework for computing ethics that encompasses security research. Why read this: A well-crafted professional code with useful guidance on harm avoidance and professional responsibility.

Case Study Sources

Project Zero and Disclosure Deadlines

Google Project Zero Blog. Project Zero publishes detailed write-ups of every vulnerability it discloses, along with policy updates and data analysis. The blog is an invaluable resource for understanding both the technical details of vulnerabilities and the practical implementation of deadline-based disclosure. URL: https://googleprojectzero.blogspot.com/

Hawkes, Ben. "Policy and Disclosure: 2021 Edition." Google Project Zero Blog, 2021. Project Zero's announcement of the 90+30 policy, with data supporting the policy's effectiveness and a discussion of the reasoning behind the changes. Why read this: The most authoritative explanation of the world's most influential disclosure policy.

Dan Kaminsky and DNS

Kaminsky, Dan. "Black Ops 2008: It's the End of the Cache as We Know It." Presentation at Black Hat USA 2008. Kaminsky's original Black Hat presentation on the DNS vulnerability. The slides and video are available online and remain some of the most effective security communication ever produced. Why read this: A masterclass in both technical analysis and security communication.

Goodin, Dan. "The Pirate Bay Sinks: How (and Why) a DNS Vulnerability Became the Internet's Worst Nightmare." Ars Technica, August 2008. Detailed technical journalism covering the DNS vulnerability and its disclosure. Why read this: Excellent technical journalism providing context and perspective on the disclosure process.

Online Resources

Electronic Frontier Foundation — Security Research. The EFF's resources on security research law and ethics, including legal guides, policy analysis, and case tracking. URL: https://www.eff.org/issues/security

I Am The Cavalry. A grassroots initiative focused on the security of systems that can impact public safety and human life, including medical devices, automobiles, and critical infrastructure. Their work on ethical guidelines for security research in safety-critical domains is particularly relevant. URL: https://www.iamthecavalry.org/

Disclose.io. A community project that provides standardized templates for vulnerability disclosure programs and safe harbor provisions, along with guidance for researchers and organizations. URL: https://disclose.io/

FIRST PSIRT Services Framework. The Forum of Incident Response and Security Teams' framework for Product Security Incident Response Teams, providing guidance on how vendors should handle vulnerability reports. URL: https://www.first.org/standards/frameworks/psirts/psirt_services_framework_v1.1