Abstract
In this article we establish three claims: (1) When the target software is proprietary, in the absence of other overriding ethical considerations, the identification of a vulnerability and the development, sale, and purchase of non-zero-day exploits are ethically justified; (2) when the target software is Free/Libre/Open Source, the buying and selling of vulnerabilities can be ethically justified only in a very narrow situation, while the sale and purchase of non-zero-day exploits is ethically justified absent of any other overriding information; and (3) democratic governments should promote legislation that either incentivizes corporate in-house vulnerability identification and mitigation programs or requires firms to more fully absorb the societal costs of insecure software.
Original language | English |
---|---|
Pages (from-to) | 269-279 |
Number of pages | 11 |
Journal | Information Society |
Volume | 32 |
Issue number | 4 |
DOIs | |
State | Published - 7 Aug 2016 |
Externally published | Yes |
Keywords
- Bug bounty programs
- information ethics
- software exploits
- software vulnerabilities
- zero-day exploits
ASJC Scopus subject areas
- Management Information Systems
- Cultural Studies
- Information Systems
- Political Science and International Relations