Tech Company vs Tech Company Ethical Analysis – Description
Introduction
The debate over “responsible” disclosure of software vulnerabilities has been a mainstay in the cyber security industry. In 2015, new fuel was added to the fire as Google disclosed a Microsoft Windows vulnerability, along with exploit code, two days before the scheduled patch. [Note: Exploit code is the section of code that hackers can exploit to hack software.]
Company v. Company Disclosure Debate
In 2015, the bug was found by Google’s in-house security research team, which searches for vulnerabilities in Google software, as well as that of other vendors, including Microsoft. Upon finding a vulnerability, Google adheres to a strict 90-day policy: Vendors are notified of the bug, and a public disclosure is automatically released 90 days after, regardless of whether the bug has been addressed.
Microsoft initially asked for an extension beyond the 90 days, which was denied by Google, as was a request to extend the disclosure date to the first “Patch Tuesday” of the month (the second Tuesday of the month, and preferred release date for patches for developers).
Microsoft criticized Google in a blog post, accusing the company’s decision of being a “gotcha” opportunity, and at the expense of the users, who were at risk for the two days between the disclosure and the patch release. Microsoft reiterated its support for “Coordinated Vulnerability Disclosure,” which calls for security researchers to work closely with developers in ensuring a fix is released before the public disclosure.
Google, and supporters of similar disclosure policies, argue that firm disclosure dates prevent developers from sweeping vulnerabilities under the rug, and should strike a balance between the public’s right to know and providing the developer a chance to fix the problem. Many take an even harder stance and propose that immediate public disclosure is the best policy.
Perform an ethical analysis on this case. Analyze it from the perspective of Google and assess their decision. During your analysis, cite an ethical standard you feel best suits the most ethical decision that could be made (there are several standards that were part of the content of week 6, or you can describe your own). Use this standard to prescribe a course of action that Google should have taken in this case (your course of action may or may not match what Google actually did). Be as thorough as possible.
The post Tech Company vs Tech Company Ethical Analysis first appeared on .
