-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
8fefbfe
commit 28b24b6
Showing
2 changed files
with
44 additions
and
30 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -2,32 +2,46 @@ | |
type: codeofethics | ||
title: Code of Ethics | ||
--- | ||
## CODE OF ETHICS 0.1 | ||
|
||
1. DIVD is a Dutch research institute that works with volunteers who aim to make the digital world safer by searching the internet for vulnerabilities and reporting the findings to those who can fix these vulnerabilities. | ||
2. As we work on sensitive data, gathered without informed consent, we established this Code of Conduct to provide an ethical base for the work we do. This code can also be used by other researchers working on what is currently referred to as responsible disclosure, or coordinated vulnerability disclosure. | ||
3. In our research projects we, for example: | ||
|
||
* Scan the internet for vulnerabilities, mostly Common Vulnerabilities and Exposures (CVEs), and report our findings and possible solutions to the owners of these systems. | ||
* Analyse online systems for new vulnerabilities (zero-days), report our findings to the makers and try to help them out in fixing the vulnerabilities. | ||
* Analyse databases with leaked credentials and report to the organisations or people who are compromised to take appropriate measures. | ||
* Work with trusted partners to extend our reach and notify as many organisations and people as possible | ||
4. We are aware that we operate at the edges of what is legally allowed, so we proceed by these three criteria commonly used in court cases on vulnerability disclosures: | ||
|
||
* Societal need: we do vulnerability disclosure to prevent online damage to as many internet users as possible and don’t serve any particular financial, political or individual interests. | ||
* Principle of Proportionality: we serve this need with appropriate means. Our research should increase and not decrease the integrity and availability of online systems. | ||
* Principle of Subsidiarity: if several means are available to meet the need, we opt for the one which has the least impact. | ||
5. We validate our findings to prevent reporting false positives or miss false negatives and sometimes need to verify if a vulnerability is actually present. We use custom-made scripts based on publicly available proof of concepts or non-weaponized exploit code and take good care that we don’t damage systems, download too much personal data, or create backdoors. | ||
6. Our findings typically consist of lists with several to millions of IP addresses, the type of vulnerability found, contact information, and metadata (e.g. timestamps, scripts, researchers working on the data). This is sensitive data, so we take all precautions necessary to protect the confidentiality of this data. | ||
7. We disclose zero-day vulnerabilities to the vendor first, then request CVE numbers and negotiate a reasonable time span for disclosing it to our Trusted Information Sharing Partners and the broader public. Ideally, the disclosure is preceded by a patch. If a vendor is obviously slow in providing the patch and it is likely others may discover and abuse the vulnerability, we may consider disclosure to warn potential victims and advise them on mitigation measures. | ||
8. We report the CVEs we find to the owners of the systems, mostly by generating email addresses based on their domain name, such as info@, security@ or abuse@ and to the listed abuse addresses of IP owners. We may also send them our findings through our Trusted Information Sharing Partners, who are, for example, Computer Emergency Response Teams, Computer Security Incident Response Teams, Internet Service Providers, governmental organisations or other research institutes. | ||
9. We analyse online threats, not threat actors. We are researchers and don’t serve the needs of governments or law enforcement. | ||
10. After reporting our findings, we repeat our scans to track progress. We, therefore, need to store data and log our activities. We may also need this data in case of a dispute. We minimize the amount of personal data we gather and store and are aware that an IP address can also be perceived as information relating to an identified or identifiable natural person. We believe that our processing of this data is proportional to our aim to protect much more sensitive personal data in the systems at stake. | ||
11. During our research, we inform the broader security community and the media about our findings only on a statistical basis: just numbers, no names, or other identifiable information. We close all research projects with a report, which can be downloaded from divd.nl and is under Creative Commons Licence. | ||
12. We only report vulnerable systems. Patching or other mitigation is solely the responsibility of the owner. | ||
13. DIVD is responsible for making researchers aware of these rules, while it is the responsibility of each researcher to stick to them. If they don’t, the board will take appropriate measures, for instance by revoking their DIVD account. | ||
14. This Code of Conduct will also be used as an ethical guidance for our DIVD Academy, shared with the broader security community and updated regularly. Suggestions and feedback are welcome. Contact our ethical committee [[email protected]](mailto:[email protected]) | ||
|
||
## MORE INFO: | ||
|
||
Is it legit to exchange lists of IP addresses together with vulnerabilities? The short answer is: Yes, according to Dutch law we can. The more elaborate answer you will find in this Liability Impact Assessment, prepared by Privacy Management Partners (in Dutch). [Click here to download](/documents/LIA_abuse_informatie_v1.1.pdf) (Dutch) | ||
#### **Preamble** | ||
|
||
This Code of Ethics guides the ethical conduct of all members of the Dutch Institute for Vulnerability Disclosure (DIVD). It outlines the principles and standards all members must uphold in their professional activities. | ||
|
||
#### **1. Guiding Principles** | ||
|
||
1. **Integrity**: Act with honesty and integrity in all professional interactions. Provide honest and accurate reporting. | ||
2. **Respect**: We respect individuals' dignity, rights, and privacy. We also respect all laws and are dedicated to protecting our clients' systems and data. | ||
3. **Fairness**: Treat all individuals equitably and avoid favoritism or discrimination. | ||
4. **Accountability**: Accept responsibility for one’s actions and decisions. | ||
5. **Excellence**: Strive for excellence in professional practice through continuous improvement and learning. | ||
|
||
#### **2. Standards of Conduct** | ||
|
||
1. **Confidentiality**: Safeguard the confidentiality of all sensitive information unless disclosure is required by law or with consent. | ||
2. **Conflict of Interest**: Avoid conflicts of interest and disclose any potential conflicts to the appropriate parties. | ||
3. **Professional Competence**: Maintain and enhance professional knowledge and skills to provide high-quality services. | ||
4. **Honest Communication**: We communicate truthfully and accurately in all professional matters, and conduct all our activities honestly and ethically. | ||
5. **Ethical Decision-Making**: Make decisions based on moral and honorable principles and sound judgment. | ||
6. **Mutual Respect**: Diversity is our strength. We respect and celebrate neurodiversity and individual differences in cultural, gender, sexual, religious, and philosophical orientations. | ||
|
||
#### **3. Responsibilities to Stakeholders** | ||
|
||
1. **Collaboration:** Share knowledge and experience with the concerned parties while upholding the principles of integrity and confidentiality. | ||
2. **Partners**: We act in the best interests of the organizations we report to, providing services with competence, diligence, and care. We live up to the expectations we raise among the partners we collaborate with and/or sponsor. | ||
3. **Volunteers**: Foster a collaborative and respectful work environment, supporting and mentoring peers. | ||
4. **Organizations**: Uphold the policies and values of employers while maintaining professional integrity. | ||
5. **Public**: Contribute positively to society and the profession, promoting the public good. | ||
6. **Profession**: Uphold and advance the standards and reputation of the profession. | ||
|
||
#### **4. Compliance and Enforcement** | ||
|
||
1. **Reporting Violations**: All members are expected to comply with this Code. We report any unethical behavior or violations of this Code to the appropriate authority within the organization. | ||
2. **Investigation of Complaints**: Cooperate with investigations into alleged violations of the Code. | ||
3. **Disciplinary Actions**: Understand that violations of the Code may result in disciplinary action, including suspension or termination of membership or employment. | ||
4. **Whistleblower Protection**: Protect individuals who report unethical behavior from retaliation. | ||
5. **Legality**: Operate within the bounds of all applicable laws and regulations. | ||
|
||
#### **5. Continuous Improvement** | ||
|
||
1. **Ongoing Education**: Commit to lifelong learning and professional development. Staying updated with the latest security trends, techniques, and best practices. | ||
2. **Self-Assessment**: Regularly assess one’s own ethical behavior and professional practice. | ||
3. **Feedback and Dialogue**: Engage in open dialogue with volunteers and the public to promote ethical practice and resolve ethical dilemmas. We will learn from our successes and mistakes, listen to each other, and always strive to improve. If you have feedback on this Code of Ethics, please contact the Ethical Commission by email: [email protected] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,4 +4,4 @@ title: Code of Ethics | |
--- | ||
# Hello world | ||
|
||
code of ethics NL | ||
code of ethics NL |