Case Study: Ethics and Vulnerability disclosures. Background The relationship between system vulnerabilities and ethical hackers (also known as security researchers) is a complex and interdependent one. On one hand, it can be near-impossible for companies to develop complex systems and platforms without any vulnerabilities for hacking. It is why any of the apps or programs we use are regularly required to be updated: while at times it might be to release new features, more commonly it is to provide fixes for bugs or vulnerabilities. The role of internal teams to identify bugs and vulnerabilities is limited as they can find it difficult to consider alternative perspectives on threat potential. Increasingly, third parties provide a role in identifying issues and disclosing these to companies so they can develop fixes. Some companies have embraced this process, and many now provide vulnerability disclosure policies to provide guidance for ethical hackers. The role of third-party ethical hackers are to identify vulnerabilities and advise companies in an effort to a) improve the overall platform performance, and b) be rewarded for their efforts in identifying platform risks. These rewards are often known as bounties. Typically, those who work in the space of identifying system vulnerabilities collaborate with the impacted platforms, with both parties benefiting from the reward of a more secure platform and a financial reward for the efforts of those identifying the issues.

Windows Zero-Day

On 22 November 2021 Bleeping Computer reported that security researcher Abdelhamid Naceri released what is known as a zero-day vulnerability relating to Windows 10, Windows 11, and Windows Server. (A zero-day vulnerability is when a third-party releases details of a vulnerability publicly when there are no known fixes for the issue.) In detailing the vulnerability, Naceri advised that threat actors with access to a device can elevate their privileges from a status of standard user to a system privilege, enabling greater ability to access and interfere with the impacted Windows systems. Providing details of how to exploit a vulnerability without any known way to prevent it from happening puts all users of the impacted Windows systems at risk. This means that anyone with malicious intent could exploit the vulnerability and Microsoft would be unable to provide assurances to their enormous user base. Within days, it was reported that threat actors had begun abusing the vulnerability with malware. What motivated Naceri to take such an action? Naceri defended the decision to release the details of the vulnerability because he was frustrated by Microsofts decreasing payouts in their bug bounty program. On Twitter, @MalwareTechBlog stated Under Microsofts new bug bounty program one of my zerodays has gone from being worth $10,000 to $1,000.

Response Part 3: Your evaluation of the outcome (300 words)

6. This section centres on your opinion based on the ethical analysis you have undertaken. State your viewpoint on what you believe is the best way to resolve the dilemma, based on your analysis of the options and ethical considerations.

a. Be sure to elaborate in the context of two (2) theoretical approaches in ethics that have been discussed in this subject. b. Why do you think your recommendation is the morally right one to make?