← Investigations

INV-004

Vulnerabilities and Their Surrounding Ethical Questions

A code of ethics for the zero-day trade, written from inside it

A Pwnshow Investigation · 2015–2017 · Status: completed · Programs: Investigations · Governance

Vulnerabilities and Their Surrounding Ethical Questions — cover

1. The question

Can a market that governments rely on but refuse to regulate be governed at all — and by whom? INV-003 mapped the strategic dynamics of the zero-day market: extortion, cooperation, and the shadow of the future among actors with no enforceable rules. This investigation asked the successor question: absent regulation, what binding conduct can the private sector impose on itself, and does a code written by an operator of the market — rather than proposed to it from outside — hold up as governance? The answer took the form of the first code of ethics focused on the trade of vulnerability information: six principles and eight enforceable standards, published for scrutiny and adopted in live commercial operation.

2. Method note

Movements engaged. All four movements of the house method. The conceived adversarial process: make the operator the test bench — draft enforceable rules for the vulnerability trade from inside it, adopt them as the operating code of a live acquisition business, then expose them to peer review and public criticism. The process was matched to the researched subject (the vulnerability supply chain and its actors, mapped end to end), executed to the standard of evidence (peer-reviewed publication at CyCon U.S. 2016, IEEE), and translated across registers — research venue, EU policy workshop, government security conference, hacker conferences, and press.

Instruments. Supply-chain actor mapping (software makers → vulnerability hunters → brokers → government and industry demanders); normative analysis anchored in public international law and the International Bill of Human Rights; security-economics framing (vulnerabilities as pollutants — private cost near zero, public cost borne by society; patching as a perverse incentive); first-person operational practice as evidence.

Exclusions. The investigation deliberately proposed no legislation: its scope was private-sector self-regulation, on the argument that conduct rules from inside the market could exist immediately while statute could not. Government equities decisions (exploit-or-disclose) were surveyed as open questions, not adjudicated. No claim was made to measure compliance beyond the author’s own operation.

3. Findings

  1. Every actor in the vulnerability supply chain — software makers, vulnerability hunters, brokers, and the government and industry entities acquiring capabilities — faces its own unresolved ethical questions; the moral load is distributed across the chain, not concentrated in the trade alone (artefact 2).
  2. Vulnerabilities behave economically as pollutants: their private cost to the software makers who create them is near zero while their public cost is borne downstream, and patching operates as a perverse incentive that lets manufacturers re-negotiate terms users could never negotiate in the first place (artefacts 4, 8).
  3. Notwithstanding a weak and uneven regulatory landscape, public international law and human-rights treaties already supply a backbone of principles binding on private-sector acquisition of zero-day capabilities (artefact 2).
  4. Those principles can be operationalised: the investigation contributed the first code of ethics focused on the trade of vulnerability information — six aspirational principles (clean hands; no danger to human health; no conflicts of interest; obey the law; preserve confidentiality; double effect and dual use) and eight enforceable day-to-day standards (artefact 2).
  5. A self-binding code authored by a market operator is viable governance-from-ground-truth: the code moved from paper to the operating rules of a live acquisition platform, demonstrating that “who is answerable” can be answered from inside the market before regulation arrives (artefacts 1, 2).

4. Consequence

Operational. The code was adopted as the Code of Business Ethics governing Zeronomicon’s acquisition operations, in force since 2015 and published by the company [zeronomi.com/ethics.html].

Institutional. The 2015 Code became reference infrastructure for Pwnshow’s own governance: it is the instrument carried as Annex D of the Independence / Conflict-of-Interest Policy v1.0, governing security-sensitive work across the investigation series.

Policy discourse. The work was carried into the EU policy arena by invitation — the European Commission’s Joint Research Centre workshop EU Zero-day Vulnerability Management: From Research to Production (Brussels, 2017) — and to the Australian government’s ACSC Conference (Canberra, 2017), and NATO’s CyCon U.S. 2016.

Circulation. The conference cycle drew international press, including Kommersant and ABC News (Australia) (artefacts 10, 11).

Adoption by other market participants is not claimed: the code was offered up for comment and criticism, and its only verified implementation remains the author’s own operation. An honest boundary, stated as such.

5. Artefact record

#ArtefactTypeVenue / identifierDateAccess
1Code of Business Ethics (six principles, eight standards)policy outcomeZeronomicon2015–code
2Vulnerabilities and Their Surrounding Ethical Questions: A Code of Ethics for the Private Sectorpaper2016 Int’l Conference on Cyber Conflict (CyCon U.S.), IEEE · DOI 10.1109/CYCONUS.2016.7836615Oct 2016doi.org/10.1109/CYCONUS.2016.7836615
3CyCon U.S. talk and research paneltalk recordingCyCon U.S., Washington D.C.Oct 2016talk
4Andy, the Polluters, Rick Deckard, and Other Bounty Hunterstalk recordingPHDays VI, MoscowMay 2016Materials not currently in the record
5Vulnerabilities and Ethicstalk recordingHITB GSEC, SingaporeAug 2016talk
6The Vulnerability Supply ChaintalkHack IT Conference, KharkivOct 2016Materials not currently in the record
7Vulnerabilities and Their Surrounding Ethical Questions (keynote)talkCyberCamp, LeónDec 2016Materials not currently in the record
8Vulnerabilities and Their Surrounding Ethical Questions: What the Private Sector Can DoslidesEU Zero-day Vulnerability Management workshop, European Commission Joint Research Centre, Brussels27 Jan 2017slides
9Vulnerabilities and Their Surrounding Ethical Questions: What the Private Sector Can DotalkEU Zero-day Vulnerability Management workshop, European Commission Joint Research Centre, Brussels27 Jan 2017talk
10Vulnerabilities and Ethics: A Code of Ethics for the Private SectortalkAustralian Cyber Security Centre Conference, CanberraMar 2017Materials not currently in the record. [Delivery closely followed the JRC text, artefact 8 and 9.]
11«Дыры без заплаток» (coverage of the vulnerability-trade ethics debate)pressKommersant2016press
12Zero-day exploit trade coverage, ACSC ConferencepressABC News (Australia)Mar 2017press

6. Continuity

Inherits: from INV-003, the strategic anatomy of the zero-day market — a trade whose dynamics reward defection and secrecy — as the condition the code was written to govern. Feeds: INV-007, which carries governance-from-operational-ground-truth to the regulation of open-weight AI capabilities; and, institutionally, the 2015 Code persists as Annex D of the Independence Policy governing this series.

7. What’s next

8. Provenance

Provenance. Vulnerabilities and Their Surrounding Ethical Questions (DOI 10.1109/CYCONUS.2016.7836615) and the related outputs above were produced without external funding. Their subject is not adjacent to but coincident with the vulnerability-acquisition market in which Zeronomi, founded and directed by the author, operates: the code of ethics contributed by this investigation is the Code of Business Ethics adopted by Zeronomi, and the investigation’s central claim — that operator-authored self-regulation is viable — is demonstrated through that company’s own conduct. The reader should weigh the findings with that identity of author, operator, and governed party in view. The work predates the Policy and is recorded here as a historical entry.

Added 2026/07/08 under Policy v1.0.

Page last updated: 2026/07/08 · Part of the Pwnshow investigation series

← Investigations index

Let's outplay.

Pwnshow (formerly secYOUre) · Rome, Italy · Investigating vulnerability since 2010. © 2026 Pwnshow