312-50V11 · Question #242
A well-intentioned researcher discovers a vulnerability on the web site of a major corporation. What should he do?
The correct answer is D. Notify the web site owner so that corrective action be taken as soon as possible to patch the. Responsible disclosure requires notifying the affected organization when a vulnerability is discovered, giving them the opportunity to patch it before it can be exploited.
Question
A well-intentioned researcher discovers a vulnerability on the web site of a major corporation. What should he do?
Options
- ATry to sell the information to a well-paying party on the dark web.
- BExploit the vulnerability without harming the web site owner so that attention be drawn to the
- CIgnore it.
- DNotify the web site owner so that corrective action be taken as soon as possible to patch the
How the community answered
(17 responses)- C6% (1)
- D94% (16)
Why each option
Responsible disclosure requires notifying the affected organization when a vulnerability is discovered, giving them the opportunity to patch it before it can be exploited.
Selling vulnerability information on the dark web is illegal and unethical, constituting active participation in cybercrime markets regardless of the seller's original intent.
Exploiting a vulnerability without authorization is illegal under laws such as the CFAA even when harm is not intended, and it does not guarantee the owner will be alerted or will act.
Ignoring a known vulnerability leaves users and the organization exposed to exploitation by malicious actors, which is an irresponsible and harmful outcome.
Notifying the web site owner follows the principle of responsible (coordinated) vulnerability disclosure, which gives the organization time to remediate the issue before it is publicly known or exploited by malicious actors. This ethical approach protects end users, preserves trust, and is the standard expected behavior in the security research community as outlined by organizations such as CISA and ISO 29147.
Concept tested: Responsible coordinated vulnerability disclosure ethics
Source: https://www.cisa.gov/coordinated-vulnerability-disclosure-process
Topics
Community Discussion
No community discussion yet for this question.