Security vulnerability research (SVR) involves searching for security flaws in a system. Such activity is likely to raise ethical concerns which need to be considered. For example, if a security researcher discovers a vulnerability in a critical infrastructure that can be exploited by an attacker; what is the right thing to do? Based on 'duty of care' principle and the fact that a public disclosure would force the critical infrastructure operator to quickly address the issue; going public with

more »

... he discovery seems to be the right course of action. However, based on 'do not cause harm to others' principle, a public disclosure could badly affect the reputation of the critical infrastructure operator. Also, there is the possibility that the disclosed vulnerability could be exploited by an attacker before the operator is able to resolve the problem. The question would then be: is public disclosure still the right thing to do? This type of situation raises an ethical dilemma because a critical infrastructure is a system that is essential for the maintenance of vital societal functions and any attack against such an infrastructure would have a devastating effect. In this paper, we examine the ethical implications of SVR for critical infrastructure protection using the three normative ethical theories. First, we review the state-of-the-art of ethics in SVR. Then, we investigate how the three different normative ethical frameworks would respond to a hypothetical scenario relating to security vulnerability in a critical infrastructure in order to provide guidance for security researchers involved in SVR. Finally, we present a discussion on how a security researcher would make an ethical decision when confronted with an ethical dilemma. We observe from this study that a security researcher could rely on the three different normative ethical frameworks to reason about the best course of action during SVR for critical infrastructure protection.