EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
research-methodologyresponsible-disclosuredual-useproject-zero

Responsible Disclosure and Dual-Use Ethics

Security research carries a tension built into its subject matter: work that helps defenders — a working exploit, a detailed vulnerability write-up — can equally help attackers. Responsible disclosure norms exist to manage this tension. The EternalBlue case shows what happens at government scale when those norms are not followed.

Ashish Revar7 July 202610 min read3 views

Sign in to mark this article as read and track your progress.

More articlesTest your knowledge

The Dual-Use Tension

Security research is inherently dual-use: the same proof-of-concept exploit that demonstrates a vulnerability to defenders can be repurposed by attackers. The same detailed write-up that teaches organisations how to detect a technique teaches adversaries how to evade that detection. This is a structural feature of studying adversarial systems, not an accident.

Responsible disclosure norms exist to manage this tension: ensuring that knowledge about vulnerabilities reaches defenders before attackers, and that researchers are not forced to choose between publishing and protecting users.

Coordinated Vulnerability Disclosure

Responsible disclosure — more precisely called coordinated vulnerability disclosure — is the practice of privately notifying the affected vendor before publishing details of a flaw, giving them a fixed window to prepare and release a patch, and only then making the technical details public.

The 90+30 lifecycle (Google Project Zero's current policy):

  1. Researcher discovers the vulnerability
  2. Private report sent to the vendor
  3. Vendor releases a patch — within 90 days
  4. 30-day grace period: users install the patch
  5. Full technical details published publicly

If the vendor fails to patch within 90 days, full details are published at the deadline regardless. If the vulnerability is being actively exploited in the wild, the deadline shortens to 7 days.

Google Project Zero

Google announced Project Zero on 15 July 2014 as a dedicated team tasked with finding vulnerabilities in any software used by Google's users — not only Google products. At launch, its principal contribution was a strict 90-day disclosure deadline with a public bug tracker documenting the process.

The policy was updated in 2021 to the 90+30 model. When Project Zero launched, most vulnerabilities it found took up to six months to be patched. By the 2021 policy update, 97.7% of its disclosed vulnerabilities were patched within 90 days — suggesting that a fixed deadline with public accountability materially changed vendor behaviour.

Bug Bounty Programmes

A bug bounty programme is a formalised channel through which a vendor invites external researchers to responsibly disclose vulnerabilities, in exchange for a monetary reward that typically scales with severity. Platforms such as HackerOne and Bugcrowd act as intermediaries, managing submissions and coordinating disclosure.

For a student researcher who discovers a genuine vulnerability during a project, a bug bounty programme — where one exists for the affected product — is the standard, expected channel for responsible disclosure, not a supplementary option.

EternalBlue and the Ethics of Stockpiling a Vulnerability

Chapter 1 described how WannaCry spread using EternalBlue, an exploit the NSA had built around a flaw in Windows' file-sharing protocol. Rather than reporting that flaw to Microsoft when found, the NSA kept it for offensive use. It was only after the exploit was stolen by a group calling itself the Shadow Brokers and leaked publicly that Microsoft learned of it and issued a patch — roughly two months before WannaCry struck.

Commentators, including Microsoft itself, argued that the world would have been safer had the vulnerability been disclosed to the vendor the moment it was discovered, rather than the moment it was lost. Choosing to sit on knowledge of a vulnerability is itself an ethical decision with consequences — not a neutral one. The Project Zero 90-day window exists to prevent both ends of this spectrum: it stops a researcher from keeping silent indefinitely, and it stops them from publishing irresponsibly before a patch exists.

Datasheets for Datasets and Model Cards

Two documentation frameworks reflect the same dual-use and transparency obligations:

Datasheets for datasets (Gebru et al., CACM 2021) ask a dataset's creator to document: the dataset's motivation, how it was collected, what uses it was designed for, and what uses it was explicitly not designed for. A malware-family dataset benefits from this discipline — who labelled each sample, using which vendor's naming convention, and on what date — because a document written while the data is being collected is far more trustworthy than one written after the fact.

Model cards (Mitchell et al., FAccT 2019) do the same for a trained model: intended use, evaluation results broken down by relevant subgroups, known limitations. A classifier documented with a model card can be reused by others without them having to rediscover its failure modes independently.

Check Your Understanding

While analysing a network traffic capture from a university test network, a student discovers evidence that the test machine had previously been compromised by a real attacker — not a simulation. Identify one obligation from each of the following three frameworks that now applies simultaneously: (a) the Belmont principle of Beneficence, (b) the CERT-In six-hour reporting rule, and (c) the concept of responsible disclosure if the compromise involved an exploitable vulnerability in a commercial product.