Abstract
Modern software is infested with flaws having information security aspects. Pervasive computing has made us and our society vulnerable. However, software developers do not fully comprehend what is at stake when faulty software is produced and flaws causing security vulnerabilites are discovered. To address this problem, the main actors involved with software vulnerability processes and the relevant roles inside these groups are identified. This categorisation is illustrated through a fictional case study, which is scrutinised in the light of ethical codes of professional software engineers and common principles of responsibility attribution. The focus of our analysis is on the acute handling of discovered vulnerabilities in software, including reporting, correcting and disclosing these vulnerabilities. We recognise a need for guidelines and mechanisms to facilitate further improvement in resolving processes leading to and in handling software vulnerabilities. In the spirit of disclosive ethics we call for further studies of the complex issues involved.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
A. del Amo Calvo. The Liability of Professional Experts Like Risk Managers. In F. Galindo and G. Quirchmayr, editors, Advances in Electronical Government, Pre-Proceedings of the Working Conference of the International Federation of Information Processing WG 8. 5 and the Center for Computers and Law, Zaragoza, Spain, 10–11, February 2000.
W. A. Arbaugh, W. L. Fithen and J. McHugh. Windows of Vulnerability:A Case Study Analysis. Computer, pp. 52–59, December 2000.
S. Baase. A Gift of Fire:Social, Legal and Ethical Issues in Computing. Prentice-Hall Inc., 1997.
P. Brey. Method in Computer Ethics:Towards a Multilevel Interdisciplinary Approach. Ethics and Information Technology, 2(2):125–129, 2000.
W. R. Collins, K. W. Miller, B. J. Spielman and P. Wherry. How Good is Good Enough? Communications of the ACM, 37(1):81–91, 1994.
D. Gotterbarn, K. Miller and S. Rogerson. Computer Society and ACM Approve Software Engineering Code of Ethics. Computer, 32(10):84–88, 1999.
T. F. Johnson. Ethical Issues:In Whose Best Interest. In T. F. Johnson, editor, Handbook on Ethical Issues in Aging, pp. 17–18, Greenwood Press, Westport, Connecticut London, 1999.
C. Kaner. Software Engineering and UCITA. Computer & Information Law, 18(2), 1999.
M. Laakso, A. Takanen and J. Röning. The Vulnerability Process:A Tiger team Approach to Resolving Vulnerability CasesS. In Proceedings of the 11th FIRST Conference on Computer Security Incident Handling and Response, Brisbane, 13–18 June 1999.
J. Ladd. Computers and Moral Responsibility:A Framework for an Ethical Analysis. In C. Gould, editor, The Information Web:Ethical and Social Implications of Computer Networking, pp. 207–227, Westview Press, Boulder, Colorado, 1989.
N. G. Leveson. Safeware:System Safety and Computers. Addison-Wesley Publishing Company, 1995.
J. Moor. What is Computer Ethics. Metaphilosophy, 16(4): 266–275, 1985.
P. G. Neumann. Computer-Related Risks. ACM Press/ Addison-Wesley Publishing Company, 1995.
A. Takanen, M. Laakso, J. Eronen and J. Röning. Running Malicious Code by Exploiting Buffer Overflows:A Survey of Publicly Available Exploits. In Proceedings of the 9th Annual EICAR Conference, Brussels, Belgium, 4–7 March, 2000.
A. Vedder. Accountability of Internet Access and Service Providers-Strict Liability Entering Ethics? Ethics and Information Technology, 3(1):67–74, 2001.
Author information
Authors and Affiliations
Rights and permissions
About this article
Cite this article
Takanen, A., Vuorijärvi, P., Laakso, M. et al. Agents of responsibility in software vulnerability processes. Ethics and Information Technology 6, 93–110 (2004). https://doi.org/10.1007/s10676-004-1266-3
Issue Date:
DOI: https://doi.org/10.1007/s10676-004-1266-3