Ethics of the Software Vulnerabilities and Exploits Market
Marty J. Wolf & Nir Fresco
In this article we establish three claims: (i) when the target software is proprietary, in the absence of other overriding ethical considerations, the identification of a vulnerability, the development, sale and purchase of non-zero-day exploits are ethically justified, (ii) when the target software is Free/Libre/Open Source, the buying and selling of vulnerabilities can be ethically justified only in a very narrow situation, while the sale and purchase of non-zero-day exploits is ethically justified absent any other overriding information, (iii) democratic governments should devise policies requiring firms to more fully absorb the costs of insecure software.