Penetration Testing Scenario Googles Project Zero team conducts security research of popular hardware and software used by users around the world. Security research on software includes operating systems, applications, web browsers and open source libraries. One of the goals of the team is to drive long-term security improvements, not only for Googles products but for all software and hardware vendors. The Project Zero team follows a 90-day vulnerability disclosure policy. The vulnerability disclosure policy was updated in 2015 to allow a 14-day extension if a vendor has a patch scheduled for release but the patch release date is after the expiration of the original 90-day period for public disclosure of the vulnerability (Google Project Zero, 2020). The 14-day extension was added to the public release policy following an incident where Google release details about a vulnerability in Windows 8.1, along with an exploit proof of concept (PoC) (Offensive Security EDB-ID 35811, 2015). Google reported the vulnerability (CVE 2015-004) to Microsoft on October 13, 2014. Microsoft developed the patch but it was planned for release on the regularly scheduled monthly release one January 13, 2015. However, that release was two days after Googles 90-day public release date. Microsoft requested Google not publicly release the vulnerability until after Microsofts regularly scheduled patch release on January 13, 2015, but Google believed it was necessary to strictly adhere to the 90-day public release policy. Google released details of the vulnerability and the exploit PoC on January 11, 2015. Microsoft leadership publicly chastised Google in a blog post (Microsoft, 2015), noting that Google exposed both Microsoft and Google customers to unnecessary risk as a result of releasing the vulnerability details and PoC two days before the patch was released. Google countered that it was important to comply with the 90-day release policy to ensure that vendors did not begin to ignore reported vulnerabilities and committed the resources to quickly patch those vulnerabilities. This, Google argued, was consistent with their mission to drive long-term security improvements in the industry. Ethical Decision Making Recognize an Ethical Issue

1. Describe the ethical issue(s). 2. Identify the parties that could be impacted by decisions regarding the ethical issue(s). 3. Explain how the ethical issue(s) can affect the interested parties.

Get the Facts 1. Identify the relevant facts. 2. Describe facts that would help in ethical decision making but are not available. 3. Describe the risks associated with unknown facts. In other words, describe how the discover of the facts you identified as not available could affect decision making if they were known. Evaluate Alternative Actions

1. The Utilitarian, Rights, Justice, Common Good and Virtue Approaches should be considered (Velasquez et al. 2015). 2. The Utilitarian Approach is useful in this situation. The primary consideration is the benefits that are gained by disclosing the vulnerability and exploit versus the negative consequences as a result of disclosure. Further, discuss advantages and consequences from non-disclosure. 3. Assess which option produces the most good and the least harm. Make a Decision and Test It 1. Make a decision that best aligns with your understanding about the related ethical factors. 2. Explain that decision and support why it is the proper decision. Act and Reflect on the Outcome 1. Reflect on the ethical decision-making process and describe: i. Strengths and weaknesses in the ethical decision-making process in this scenario. ii. Other factors you believe would have led to a better-informed decision. iii. Assumptions used in the process or decision that may not be applicable in other scenarios.