#HITBGSEC 2016 SG CommSec Track D2 - Vulnerabilities and Ethics - Alfonso De Gregorio

Zero-­day vulnerabilities – holes in software that are unknown to the parties who can mitigate their specific negative effects, are gaining a prominent role in the modern­-day intelligence, national security, and law enforcement operations. At the same time, the lack of transparency and accountability in their trade and adoption, their possible over-exploitation or abuse, the latent conflict of interests by entities handling them, and their potential double effect may pose societal risks or lead to breach of human rights.

If left unaddressed, these usage-related challenges call into question the legitimacy of zero-day vulnerabilities as enablers of national security and law enforcement operations and erode the benefits that their proportionate use have for the judiciary, defence, and intelligence purposes.

This work explores what the private sector involved in the trade of zero-day vulnerabilities can do to ensure respect to ‘human rights and the benign and societally beneficial use’ of those capabilities. After reviewing what can go wrong in the acquisition of zero-day vulnerabilities, we propose the first code of ethics focused on the trade of vulnerability information, where the author sets forth six principles and eight corresponding ethical standards aimed respectively at guiding and regulating the conduct of this business.

===

Alfonso is a globally recognized security technologist, Founder and Director of Zeronomicon, the European premium zero-day exploit acquisition platform, Founder of BeeWise, the first cybersecurity prediction market, and Principal Security Researcher at secYOUre, a boutique security research firm providing practical strategic and technology consulting to high-performance organizations who need to achieve information assurance in today’s highly interconnected environment.

Alfonso helps colleagues, technology vendors, decision makers, and users reach confidence in, and profit from, processes to which we entrust our business, by combining his seventeen years’ professional experience, the ability to listen to, and envision, the security stakeholders’ real challenges, and a passionate pursuit of innovative solutions.