Introduction: ============= This code of conduct defines the rules to be obeyed by a signer, who is doing his work without any planned economical benefit and for the pure pleasure of doing it, but avoiding any unneccessary harm for human society by the researcher's own ethical standards. Code of Conduct: ================ * Knowledge about vulnerabilities may be used for private purposes, e.g. learning, experimentation, PoC-development, but: * researcher will apply protection against data theft, accidential disclosure, sufficient to address expected risks from disclosure. * the researcher will not keep vulnerability information private, where the risks from leakage are to high compared to the level of protection, he/she can guarantee. * the researcher will not pass on any information to public before cordinated responsible disclosure procedure was attempted with vendor or another suitable partner, e.g. software distributor. * The researcher is inclined to accept disclosure timelines from other parties, when he/she has the feeling, that those decisions were made on basis of sound risk management with the goal to reduce the societal risk - NOT only the financial risk for the affected party. * Interaction with software projects, vendors: * Any party, the researcher really has worked together in analyzing or fixing a security flaw, and that has an own "code of conduct", may reqest the researcher to sign it. The researcher will do that, referencing the issue addressed together. If the party requests a rogue signature (no work done together), they did not stick to their own code of conduct or the researcher deems their code of conduct flawed, the researcher will generate a distrust signature stating the reason.