312-50V10 · Question #242
A well-intentioned researcher discovers a vulnerability on the web site of a major corporation. What should he do?
The correct answer is D. Notify the web site owner so that corrective action be taken as soon as possible to patch the. Responsible disclosure requires a researcher to report a discovered vulnerability directly to the affected organization so it can be patched before malicious actors exploit it.
Question
A well-intentioned researcher discovers a vulnerability on the web site of a major corporation. What should he do?
Options
- ATry to sell the information to a well-paying party on the dark web.
- BExploit the vulnerability without harming the web site owner so that attention be drawn to the
- CIgnore it.
- DNotify the web site owner so that corrective action be taken as soon as possible to patch the
How the community answered
(30 responses)- B7% (2)
- C3% (1)
- D90% (27)
Why each option
Responsible disclosure requires a researcher to report a discovered vulnerability directly to the affected organization so it can be patched before malicious actors exploit it.
Selling vulnerability data on the dark web is illegal under computer fraud and cybercrime statutes in most jurisdictions and directly enables malicious exploitation of the flaw.
Exploiting a vulnerability on systems you do not own constitutes unauthorized access regardless of intent, violating laws such as the US Computer Fraud and Abuse Act and equivalent statutes globally.
Ignoring a known vulnerability leaves affected users exposed to potential exploitation by malicious actors who may independently discover the same flaw.
Coordinated (responsible) disclosure is the industry-standard ethical practice where the finder privately notifies the vendor or site owner, provides details needed to reproduce and fix the issue, and allows a reasonable remediation window before any public announcement. This protects end users while ensuring the vulnerability is eventually resolved, and is recognized by frameworks such as ISO/IEC 29147.
Concept tested: Responsible (coordinated) vulnerability disclosure ethics
Source: https://www.iso.org/standard/72311.html
Topics
Community Discussion
No community discussion yet for this question.