irresponsible disclosure short handbook of an ethical developer LEMi ORHAN ERGiN AGILE SOFTWARE CRAFTSMAN

we live in a new era

THE DATA ERA

THE DATA ERA where we are the products

where we are the products where our data issold THE DATA ERA

where we are the products where our data is sold we are THE DATA ERA

where we are the products where our data is sold we are where algorithms decide what to buy THE DATA ERA

who to vote THE DATA ERA what to feel where we are the products where our data is sold we are where algorithms decide what to buy

THE DATA ERA where We've facing corruptions more then ever in software history

THE DATA ERA where we need more developers

THE DATA ERA better professionals ethical professionals where we need more developers

we need to talk about ethics more than ever

technology should be constrained by human values https://www.ted.com/talks/zeynep_tufekci_we_re_building_a_dystopia_just_to_make_people_click_on_ads WE'RE BUILDING A DYSTOPIA JUST TO MAKE PEOPLE CLICK ON ADS, ZEYNEP TÜFEKÇİ

ethics should govern behaviors

ethics should govern behaviors decisions politics companies management professions

No content

sets of discipline and minimum standards of behaviors turn development into a real profession SOFTWARE DEVELOPMENT IS A PROFESSION

Knowing how well you perform when you do your profession CRAFTSMANSHIP IS A JOURNEY

Loves his job Passioned Disciplined Motivated Apprentice Practices a lot Has no ego Embraces feedback Delivers value, not crap Focuses on quality Shares knowledge Participates meetups Joins communities Ethical developer Improves productivity Works as teams Learns like crazy Feels responsible Retrospects regularly Proficient with the tools Reads a lot Knows to say no No the one in the corner Checks quality metrics Programs in PAIRS lets the code test itself CRAFTER SOFTWARE

Loves his job Passioned Disciplined Motivated Apprentice Practices a lot Has no ego Embraces feedback Delivers value, not crap Focuses on quality Shares knowledge Participates meetups Joins communities Ethical developer Improves productivity Works as teams Learns like crazy Feels responsible Retrospects regularly Proficient with the tools Reads a lot Knows to say no No the one in the corner Checks quality metrics Programs in PAIRS lets the code test itself Ethical developer CRAFTER SOFTWARE

PRINCIPLES of AN ETHICAL DEVELOPER SECURITY PRIVACY HONESTY Customer TEAMWORK QUALITY PERSONAL SOCIAL MEDIA CULTURAL

We apply secure coding practices. SECURITY We test security of so!ware. We do not keep passwords in clear text. We remove passwords from external files. We protect log files and all internals. We inform security vulnerabilities.

We do not disclose private communication. We show respect to privacy of private life. We do not force employees to do overtime. We do not ask passwords of social media accounts to investigate during recruitment process PRIVACY We do not sell/share confidential data

We do not claim expertise where we have none. We do not inflate our abilities. We do not state undone tasks as done. We do not intentionally misestimate tasks. We do not falsely deny the presence of bugs. HONESTY We do not cheat on performance & quality KPIs.

We do not under/over value the outputs. We do not promise what we cannot deliver. We do not hide current status of the project. Customer We do not deceive customers about defects.

We do not hide information from teammates. We do not criticize just to feed out ego. We help our teammates when they need help. We ask help when we need help. TEAMWORK We do not be the guys in the corner

We do adequate testing and review. We write well-cra!ed code. We write sufficient documentation. We take full responsibility of the code. We regularly check code for quality & refactor. We validate fixes before se$ing them as fixed. QUALITY We do not accept to develop in lower quality.

We do not cultivate a brogramming environment. We do not steal unauthorized code. We do not use cracked or unlicensed tools. We do not reuse copyrighted code unless proper license is obtained. We do not suppress others opinions. We do not wait others to invest in our career, we invest in ourselves. PERSONAL We do not do mobbing, act sexist or intimidate.

We do not involve in trolling, social engineering, perception manipulation or black propaganda. We do not post things private to the company you work or to your colleagues. We do not argue with customers even though we are right. We do not communicate with others like an asshole. We show respect in social media. SOCIAL MEDIA

We give feedback fast. We also give positive feedback. We do not raise our voice to colleagues or to customers. We do not blame others. We respect to people and to our profession. We trust by default. CULTURAL We leave our ego behind the doors

what about irresponsible disclosure ?

what about irresponsible disclosure ? It does not ma!er if a bug bounty program exists or not. We should report security vulnerabilities to the company privately. Use private channels and make it confidential. Be ethical and find ways to report it to the company

what about irresponsible disclosure ? hey wait a minute... We already did what we recommended here. It does not ma!er if a bug bounty program exists or not. We should report security vulnerabilities to the company privately. Use private channels and make it confidential. Be ethical and find ways to report it to the company

0-day vulnerability had already published on public by someone 2 weeks before it means, the vulnerability could already be available in deep web it means, hackers could have already started to access machines via root

OUR INFRA TEAM CONTACTED WITH APPLE SEVERAL TIMES ABOUT THE VULNERABILITY Without writing any password, I could connect to system as root after I entered 3 times. I am saying these to let you understand how serious the topic is. If any company get hurt due to this vulnerability, Apple is the responsible. I don't think you can resolve this issue, therefore I want to talk with someone from security. LIKE THE ONE ON NOV 23, 2017 10:58, 5 DAYS BEFORE THE DISCLOSURE

fire alarm When you see the fire spreading uncontrollably, you have to press the fire alarm Sometimes keeping the issue private causes more problems than making it public

https://www.flickr.com/photos/editor/8560592076 https://gratisography.com Attribution 2.0 Generic (CC BY 2.0) CC0-like Custom License https://www.flaticon.com Icons made by Freepik from FlatIcon Basic License https://www.flickr.com/photos/24498687@N03/2337550017 Attribution-NonCommercial 2.0 Generic (CC BY-NC 2.0) REFER ENCES