Governance, Risk and Compliance
Security Congress Abstract
Ethics in penetration testing services - where is the border and how not to cross it? How to deal with ethical problems such as failure to get appropriate authorization, working solo, and failure to give appropriate notice so as to avoid false alarms? As a penetration tester, how do you balance the risk to society against your contractual obligations to not disclose the vulnerability, when all findings are owned by client by default?
Ethical issues when dealing with your principals - why CISOs get fired first whenever there is a personal data breach? When is the CISO actually liable?
Bug bounty programs - what are the risks and implications of such programs, in ethical and legal terms? Is running your own bug bounty program worth the risk and can you get it right? What do you do if a vendor doesn't respond to a vulnerability reported? How do you deal with individuals reporting vulnerabilities to you?
Ethics in performing professional tasks when you do not have enough experience to perform such tasks, although you have a professional certification – how to deal with such situations?