
Ethical considerations of access to the HackerOne community - waffle_ss
https://www.hackerone.com/blog/ethical-considerations-of-access-to-the-HackerOne-community
======
munchbunny
Good to see that they are taking a clearly communicated, carefully considered
stance on a messy ethical issue. I don't really have a strong opinion on this
case, but I think it's refreshing that HackerOne is dealing with a case with
no clear best answer in a principled way.

~~~
21
Selecting your customers is always tricky.

On one hand your right to run your business as you see fit and respecting your
principles.

On the other hand you have discrimination of all kinds.

Think about the recent cases of a small baker with strong religious views
refusing to create cakes for gay couples.

Think about CloudFlare protecting ISIS sites.

~~~
derefr
To me, it seems to come down to:

1\. there are evil people, but

2\. those people frequently have more social power than nice people, and

3\. the evil people will use their social power to paint nice people as evil
(i.e. "bullying.")

If you're defining the laws for a community or society, or the Terms of Use
for a piece infrastructure for such a community/society to use—then it
behooves you to consider that any "hammers" built into your system will mostly
be used by those with power against those without it, regardless of which side
is "correct."

So: If you let people speak freely, the powerful will shout down the
powerless. But if you let people silence others, then the powerful will
silence the powerless.

Morally, it really comes down to a choice of which kind of hammer hurts
_wronged innocent_ powerless people the least. (Which can often mean offering
no hammer that can truly be used to "deal with" obviously-evil people.)

~~~
tptacek
I understand what you're writing, and what HackerOne wrote, but to me it
pretty much seems like "we won't run a security service for spyware
companies".

At Matasano, we wouldn't do work for the USG or arms manufacturers. We didn't
have a coherent framework to fit that decision into. We just wouldn't do it. I
worry that we may be overthinking things here.

~~~
Tomte
I see an parallel to the harassment/CoC discussion:

Because that's mostly my stance on the question "should a project have a code
of conduct?": It's overspecifying things because we believe we can control
them better the more we're spelling it out.

I'd prefer a blanket "we're against harassment of any kind and will act if
harassment comes to our attention", over many paragraphs trying to spell out
what exactly we consider actionable, leaving loopholes for language lawyers
(and we nerds have this tendency!) all over the place.

I know that you're strongly in favor of CoCs. Do you see a qualitative
difference between those things?

I'll grant that harassment is a much more explosive issue today, but "who is
allowed to participate in a bug bounty community" also seems to have potential
for bitter quarrels.

~~~
JoshTriplett
It's good to have an explicit statement that the spirit of the law is
important, and that if you're trying to language-lawyer your way around a code
of conduct, you're missing the point.

But that doesn't mean there's no value in having clearly laid-out principles,
and in particular, clear descriptions of proscribed behavior and protected
groups. Because in the absence of that, the same kind of people who would
language-lawyer in the _presence_ of a code of conduct will try to slickly
excuse their behavior as acceptable in the _absence_ of one.

Some of the most insidious people around will be superficially nice to
someone's face (some of the time), while taking the time in a policy process
to calmly and politely inquire if it would be reasonable to treat people like
them as subhuman, with ever so much justification and honeyed words. Head it
off in advance, set a line for what you expect, and don't assume that "be nice
to each other" will make everyone feel safe and welcome.

~~~
Tomte
As soon as you try to give your process the air of "due process" you have
lost. You must never get into a debate about it (internally, sure, externally
never).

You're not a court of law, you're an organization, a club, whatever. This club
has officers or a president.

Put your foot down and make a dictatorial decision that is only announced, not
discussed.

You're not recognizing their "right to argue". They cannot "lawyer" if there
is no venue open to them. Ignore their complaints on Facebook or whatever.

~~~
Bartweiss
> As soon as you try to give your process the air of "due process" you have
> lost.

It's worth remembering that people (rightly, I think) get far angrier about
breakdowns of due process than the absence of it. Some of the people upset
about the Drupal mess recently didn't seem to care much about the specifics of
what happened, but were incredibly disturbed that the official process
appeared to have been circumvented. At that point it would have been far
better to say up front "we make decisions at our discretion, in the manner we
choose".

------
phamilton
> On balance, if someone is infected with spyware they're probably better off
> infected with secure spyware.

That's a pretty amazing sentence. It illustrates just how messy this whole
situation is.

------
geppeto
I looked through the task manager of a corporate issued laptop and saw tasks
belonging to very similar companies, as part of the disk image IT makes.

The corporation likely has a license for the software, as well as conditions
for all their employees to expect monitoring.

A formalized bug bounty program would enable the software producer to have
secure software.

Why exactly is HackerOne drawing a distinction with this software producer? I
read the whole article and still miss what the controversy with this producer
is.

Is all monitoring software now banned from HackerOne under the guise of a
moral high ground HackerOne just created?

~~~
thraway2016
_Why exactly is HackerOne drawing a distinction with this software producer?_

The truth is: because a H1 rep went on Risky Business and did not deliver a
very good performance.

Patrick, who is absolutely okay with H1 having FiveEye clients like the US
DoD, has a very serious problem with them also servicing an obscure spyware
application provider. Because, I suppose, being murder-droned by a panopticon
hegemony is much better than getting yelled at by an angry spouse?

~~~
kbenson
The _purpose_ of the DoD is not to spy on people, it is to protect people.
That some actions by some programs and and departments may cross the line
legally during certain periods is not that same as an entity whose sole, or
majority of goods or services are for, or marketed as being for, an illegal
action.

~~~
miopa
In the first case, you have an entity that has a proven record of breaking the
law (on purpose) using technology. I can also argue that _the purpose_ of DoD
now is to protect the elites, from the people, but that's another story.

In the second, the legal line is not crossed. It may be crossed at some point
by an adult person that can bear responsibility for his actions.

I would not work with both; I can understand how can one not be a hypocrite by
choosing to work with the latter and not the former, but not the other way
around.

Is it the right moral choice to protect the privacy of a cheater? Maybe, I
don't know, I'm struggling to answer that to myself, let alone judge others.

~~~
Chris2048
> Is it the right moral choice to protect the privacy of a cheater?

Is this spyware used to find out if someone is cheating? If so, it means you'd
install it, and violate their privacy, _without_ knowing if they are a
cheater, so the point is moot.

~~~
miopa
I was not referring to the app, but in general to discover a cheater you'll
most likely violate their privacy.

My point is that privacy in a relationship is a relationship thing, and the
moral choice for me would be to not interfere in other peoples relationships.
This includes not judging you if you use spyware on your wife.

~~~
Chris2048
> to discover a cheater you'll most likely violate their privacy

I'm not sure this is true. There are often clear boundaries, like secretly
observing them in public versus accessing their private phones.

> privacy in a relationship is a relationship thing

but it's also a privacy thing. Is domestic abuse a relationship thing? That
would also interfere with a relationship.

------
thraway2016
While I applaud this move, I suspect H1 will continue servicing government and
law enforcement clients of all kinds.

A consistently applied policy would see ties with ALL surveillance entities
severed.

~~~
sqeaky
This is going to earn me huge downvotes, but not all surveillance is equally
illegal or equally unethical.

To me it seems that groups that run spy satellites and look out for nuclear
missile launches are in a different ethical category than people who make
software for perpetuating domestic abuse.

Clearly, I picked two extremes. That was just to show that not all
surveillance is equally bad and that some can be better than others. I will
leave other kinds of surveillance are just and unjust for other discussion.

~~~
nvahalik
> people who make software for perpetuating domestic abuse

That's a bit like saying the authors of Wordpress perpetuate fake news.

I've used similar products to monitor usages on teenager's devices and I can
attest to their usefulness far beyond "perpetuating domestic abuse".

~~~
sqeaky
The makers of wordpress don't say "great for fake news", but the makers of
this software say "great for watching your partner".

They advertise reading your wife's SMS messages as a feature!

That and Wordpress would only be so-so for making a fake news page, I mean it
could work but you would be a competitive disadvantage.

------
sasas
Patrick Grey interviewed the CTO of hacker one in the latest riskybiz security
podcast [1] on this topic. Patrick is a friend of Alex, but that doesn't stop
a hearty debate. Highly recommended podcast for those interested in infosec in
general.

[1] [https://risky.biz/](https://risky.biz/)

------
ukyrgf
That font-weight/color is nearly unreadable on my Windows 10 machine.

------
tetrep
> Companies should defer judgement to the courts rather than make arbitrary
> moral judgements.

Uh, no. Please no. I do _not_ want the courts to arbitrate morality. That's a
far far far more dystopian world than one where corporations do (supposing I
accept their false dilemma). Companies can, in theory, be created by any
person, with any moral alignment. That is not the case with governments (minus
authoritarian ones, which function in the context of moral-defining as more or
less the same as a company).

Additionally, deferring to the courts also leads to the ever terrible "this is
moral because it is legal" and "this is immoral because it is illegal."

There is not a correct authority on morality to which you can defer. You
cannot offload such decisions and wash your hands. Any moral decision you
make, including deferring to some other moral-decider, is entirely your
responsibility.

Note: I'm doing the naughty thing of morals=ethics. I know this is
pedantically not the case, but I'm 99% sure that is what the article means.
And, in general, this is also what everyone means outside of targeted
discussions.

> ...if someone is infected with spyware they're probably better off infected
> with secure spyware.

I think this is a great ethical issue within the security community. There's
many arguments against working for a company you have ethical disagreements
with, but that becomes much more grey when it comes to security. Sure I might
not agree with the mass surveillance of the government, but wouldn't I rather
help the NSA not leave piles of malware sitting around on C&C servers than let
it be exposed to even more malicious actors?

Security could use a hippocratic oath.

> FlexiSPY has not published a vulnerability disclosure policy or committed to
> no legal action against hackers. Both protective steps would be required
> should their program be hosted on HackerOne.

I'm surprised HackerOne doesn't have a policy surrounding this already. Are
hackers who submit issues to HackerOne not protected?

> We will not take action against them based exclusively on moral judgements.

Hooray, kinda. I think this is a maxim that HackerOne could extend to not
making moral judgements relevant at all, and to instead institute policies
that reflect HackerOne's current morals. This increases transparency and
allows HackerOne to say "We reject you because your company's
goals/actions/whatever explicitly contradict our policy that everyone wear
unicorn hats on Tuesdays".

> Their business conduct is not in line with our ambition to build a safe and
> sound internet where the sovereignty and safety of each participant is
> respected.

I think now would be a good time for HackerOne to write this stuff down. A
_very_ brief look at their site and the only thing I can see relating to this
is the tagline "Make the internet safer together." From which sovereignty
implications can be drawn, but having such policies explicitly stated and
publicly available not only allows for transparency in decisions, but also
works as an advertisement, "Oh hey, this company wants to protect my digital
sovereignty, neat!"

~~~
martenmickos
Thanks tetrep. I agree with your statement "would be a good time for HackerOne
to write this stuff down".

We just discussed it this morning internally. If you have suggestions on how
to formulate such a policy, please email me at marten@hackerone.com.

Thinking out loud, HackerOne stands for and supports the security and
integrity of every piece of software code, for transparency and openness, for
the sovereignty of each human being connected online, and for fair and
equitable principles for all online activity. And probably some other aspects
that I didn't think of this exact second.

If anyone has thoughts on this, we are all ears.

Marten

~~~
roel_v
Don't get suckered into trying to write a 'clear set of guidelines' or a
'comprehensive community policy' or whatever they want to call it. 10 times
out of 10, the people asking for such things are either looking to pin you on
your own texts through language lawyering or are incapable of independent
thought - not the sort of people you want to deal with anyway. The whole faux
'justice' (of this sort) rhetoric is just that - the upholding of an illusion
of 'fairness', where that 'fairness' is a juvenile understanding of 'equal
treatment no matter what', just like those who think that majority decisions
are always right because they're 'democratic'.

The correct response is that of when people tried this trick on the SCOTUS
when they asked it 'what is porn'. There, and here, the correct answer is: "I
can't define it, but I recognize it when I see it." This of course is a deeply
unsatisfying answer to people who can't (or won't) think for themselves, and
doubly so for the aspi types that inhabit the interwebs in disproportionate
numbers.

------
Animats
Coming soon, a public market in bugs?

How soon can I buy futures in Windows vulnerabilities?

~~~
tptacek
The bugs you're talking about are already worth 5-6 figures. Their prices are
so volatile and their outlook is complicated enough that no sane person would
enter into a forward contract on one.

