http://blogs.msdn.com/b/sdl/archive/2007/08/23/temp.aspxSteve Lipner here. A couple of weeks ago, I participated in a panel on the ethics of security vulnerability disclosure at Black Hat in Las Vegas. I believe that I was invited for my role in Microsoft’s Security Engineering and Community team and becauseen-USTelligent Evolution Platform Developer Build (Build: 5.6.50428.7875)http://blogs.msdn.com/b/sdl/archive/2007/08/23/temp.aspx#4589241Mon, 27 Aug 2007 13:01:43 GMT91d46819-8472-40ad-a661-2c78acb4018c:4589241 Microsoft and The Ethics of Product Vulnerabilities : bloginfosec.com<p>PingBack from <a rel="nofollow" target="_new" href="http://www.bloginfosec.com/2007/08/27/microsoft-and-the-ethics-of-product-vulnerabilities/">http://www.bloginfosec.com/2007/08/27/microsoft-and-the-ethics-of-product-vulnerabilities/</a></p> <img src="http://blogs.msdn.com/aggbug.aspx?PostID=4589241" width="1" height="1">http://blogs.msdn.com/b/sdl/archive/2007/08/23/temp.aspx#4543785Fri, 24 Aug 2007 18:00:59 GMT91d46819-8472-40ad-a661-2c78acb4018c:4543785asteingruebl<p>Steve,</p> <p>It appears that you are using a duty-analysis model for determining what is ethical. &nbsp;</p> <p>In your example then, the software producer has an ethical duty both to the consumer of the software, but also to the folks paying to have the software produced. &nbsp; Balancing these is pretty tricky as you've indicated. &nbsp;The consumer is paying money for the software and has expectations, the creator is being paid to create....</p> <p>How do you think the equation shifts if you're either performing the work for free, or giving away the software? &nbsp;Does it move the line towards more security, or towards release with less?</p> <p>- Andy</p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=4543785" width="1" height="1">