Ethics & releasing research with no viable solution

Question

I've been doing some pretty interesting research that involves abusing a particular technology to carry out malicious behavior. Normally, upon completion of my research, I'd hand over all of my work before release so that the affected parties could resolve the problems I uncover. In this case, however, the abusable element is a core aspect of the affected technology and will be extremely difficult (if not impossible) to patch. I very much want to release and talk about my research, but I'm worried that making the details available beyond myself could result in malicious use of my research. The technology affected is very widely used and could result in a huge financial loss for parties that make use of it.

How can I release this research and still be ethical? Should I even do so? Any advice would be appreciated.

Answer 1

Well there's a couple of aspects to consider here, as has been said there is no clear answer.

On the one hand you've correctly identified the risks of public disclosure with no easy remediation, which is that attackers can take advantage of the issue.

However there are also risks with not publicly releasing. For example, it's entirely possible that other entities have already discovered and are exploiting the issue you've found. By publishing you would then be leveling the playing field by allowing defenders to come up with work-arounds and mitigations, something they likely can't do without details on the issue.

Also whilst there may be no fix, speaking in general terms there are other mitigations that can be applied to most technical security issues once they are known (e.g. additional monitoring of hosts, blocking of attacking systems) etc.

What you might want to do is, is contact an agency to discuss the issue and see about involving the appropriate industry/technical people to look at co-ordinated disclosure. If you look at some of the larger impact issues that have come out over the last couple of years, that's generally the best approach.

As to who to contact, one option would be to speak to someone like CERT who are used to co-ordinating disclosure of issues.

Answer 2

Ethically, you should be guided by which path does the least damage. That most likely means you should release the information responsibly. Only in a world where you are smarter than everybody else is silence likely to limit damage.

My opinion is that releasing the information does the least damage because:

1. You cannot assume that you are the only person smart enough to find this issue. Further, it is reasonable to assume that the odds of someone else discovering it and being malicious is higher than them being non-malicious.
2. Likewise, you say that it is difficult or impossible to patch, but exposing the problem to a larger number of eyes increases the chance of someone devising a patch or a compensating control that reasonably lowers the risk.

Responsible disclosure generally means contacting the owner first, and escalating to a public announcement if they're unwilling or unable to address the issue within a reasonable amount of time.

Answer 3

Even though i never released any research of such importance i put some thoughts into this particular issue every now and then. This is my view on the things:

First off: there is no solution / correct answer to this question. By the nature of ethics, it is opinionated.

Bugs and security leaks always occur. Software developers try their best to avoid it but human error always adds to it. Knowing about an issue is better than the opposite. If people know about the security flaw you found they can stop using the affected technology and move to an alternative (which is possibly safer to use). If people would not know and someone with malicious intents discovers the flaw the damage will be much greater then if people can take percations.

If i was in your position, i'd release it.