Code of Ethics.

  • English
  • Deutsch

In our research, we are regularly dealing with technologies and techniques that could potentially be misused to cause harm in all sorts of ways. We also demonstrate the application of those techniques and the necessary tools in class, in order to raise awareness and prepare our students for situations where they might be affected by said misuse. When doing so, we always stress that it is of paramount importance to only apply this knowledge in a responsible and sanctioned way.

To further emphasize our commitment to the ethical use of potentially harmful knowledge and technology in research and teaching, we work by a set of rules based on the code of ethics (http://www.ieee.org/about/corporate/governance/p7-8.html) of the Institute of Electrical and Electronics Engineers (IEEE):

We, the members of the Institute of Networks and Security (INS), in recognition of the importance of our knowledge and technologies in affecting the quality of life throughout the world, and in accepting a personal obligation to our profession, its members and the communities we serve, do hereby commit ourselves to the highest ethical and professional conduct and agree:

1. to accept responsibility in making decisions consistent with the safety, health, and welfare of the public, and to disclose promptly factors that might endanger the public or the environment;
 
This includes, but is not limited to, making careful and fact-based decisions in security research, responsibly disclosing information about potential security vulnerabilities in products and protocols, and raising awareness in the public about dangers of technologies and their use.
 
2. to avoid real or perceived conflicts of interest whenever possible, and to disclose them to affected parties when they do exist;
 
We make collaborating entities (clients, partners, students) aware of our Code of Ethics and strive to resolve any conflicts of interest that threaten to prevent us from acting according to it. If in doubt, we always opt for adhering to this code.
 
3. to be honest and realistic in stating claims or estimates based on available data;
 
When researching the security implications of technologies, products or events, we base our judgement on provable facts and don't generate or spread unfounded rumours that either mask or exaggerate the severity of potential consequences.
 
4. to reject bribery in all its forms;
 
We outright reject and will, if necessary, report attempts of bribery aimed at suppressing information that benefits public safety, or attempts of unfounded influence to our research and teaching activities. Furthermore, we do not favour or endorse (proprietary) techniques or tools in our work, when there is doubt about the benefits they provide.
 
5. to improve the understanding of technology; its appropriate application, and potential consequences;
 
Through our research and teaching, we aim to advance the knowledge on computer-based security in general, how to develop and operate secure and dependable systems, and how to deal with the ambivalent nature of certain technologies and techniques that can be used for security testing or preventive monitoring, but may be misused for attacks or illegal interception of communication.
 
6. to maintain and improve our technical competence and to undertake technological tasks for others only if qualified by training or experience, or after full disclosure of pertinent limitations;
 
We constantly strive to stay at the forefront in security technology and practice and commit to the same high level of quality in our research and teaching. Especially in a topic as delicate as security, we only engage in activities for which we can guarantee that level of knowledge and professionalism.
 
7. to seek, accept, and offer honest criticism of technical work, to acknowledge and correct errors, and to credit properly the contributions of others;
 
For our own work, we always welcome valid contributions that enhance the security and applicability of our solutions. We constantly aim to improve our deliverables and practices, and will give due credit to any contributors. We also responsibly point out potential vulnerabilities in products and protocols to affected parties and will help discover and fix those and other weaknesses to the extent possible.
 
8. to treat fairly all persons and to not engage in acts of discrimination based on race, religion, gender, disability, age, national origin, sexual orientation, gender identity, or gender expression;
 
We act according to this principle, especially when it comes to interacting with students, colleagues, and clients. Furthermore, we neither work on nor endorse techniques and tools that aid in the discrimination of people.
 
9. to avoid injuring others, their property, reputation, or employment by false or malicious action;
 
We only engage in potentially harmful activities such as penetration testing under an explicit and written mandate issued by the affected party. Even then, we take utmost care to not cause any damage. In our research and teaching, we commit to the same level of caution and rigor and take all possible precautions to prevent damage to systems and people outside segregated lab environments.
 
10. to assist colleagues and co-workers in their professional development and to support them in following this code of ethics.
 
In research collaborations and especially in teaching, we aim to advance the state of awareness, knowledge, and capabilities for all those who we are working with. We require that they also adhere to the same ethical principles that guide our work.