08-17, 16:00–16:45 (Europe/Berlin), Milliways
We've all been there, we knocked a company offline while doing some well intended security testing. How many requests per second is considered ethical? How deep into a system can you go, dump the database or not? Reverse shell or touch /tmp/pwned? What are YOUR ethical boundaries?
What is ethical? and why? Is buying credentials of the dark web ethical? Is fuzzing a server in a broom closet with millions of requests ethical? Did you know it was a raspberry pie in a broom closet?
This talk discusses ethical boundaries, the existence and lack of them, but also the grey areas in between. The spark for this talk has been initiated from the need to ensure that all forms of security testing would be beneficial to all parties concerned and within some ethical boundaries. From secret hacking techniques to open blog posts and CVE's. Hopefully this talk will spark some discussions within the community so we can all go home with a clear conscience and preserve moral high ground.
I have been running Bug bounty programs since 2016 and hacking on them myself since. 150+ M&A Security Due Diligence evaluations, ~40 per year.
Head of Security Testing at Visma.