Ethical conduct in cybersecurity research

What happened?

What is human-subjects research?

Human subject means a living individual about whom an investigator (whether professional or student) conducting research, [including if the researcher] obtains information or biospecimens through intervention or interaction with the individual, and uses, studies, or analyzes the information or biospecimens.

Was this human-subjects research?

Humans within sociotechnical systems

Experiment conducted by the authors.

In the experiment, we aim to demonstrate the practicality of stealthily introducing vulnerabilities through hypocrite commits. Our goal is not to introduce vulnerabilities to harm OSS. Therefore, we safely conduct the experiment to make sure that the introduced UAF bugs will not be merged into the actual Linux code. In addition to the minor patches that introduce UAF conditions, we also prepare the correct patches for fixing the minor issues. We send the minor patches to the Linux community through email to seek their feedback. Fortunately, there is a time window between the confirmation of a patch and the merging of the patch. Once a maintainer confirmed our patches, e.g., an email reply indicating “looks good”, we immediately notify the maintainers of the introduced UAF and request them to not go ahead to apply the patch.

Designing an ethical version of this study

Beyond this case study





Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store