When governments discover or purchase zero day vulnerabilities, they are faced with a difficult decision: should they disclose the vulnerability, allowing the vendor to patch the vulnerability before it can be exploited, and thereby promote the security of the public or consumer information implicated? Or, should they keep the vulnerability under wraps and use it as an tool in law enforcement or military intelligence? The choice boils down to the classic dilemma of how to strike the best balance between the interests of the individual versus the interests of the state. Different countries will have different vulnerability disclosure policies depending on which values they emphasize. In this presentation, I argue that Canada’s VDP should generally favour a defensive approach to vulnerabilities over an offensive one since the advantages to the state from non-disclosure are unlikely to outweigh the risks to citizens, consumers, and Internet security as a whole.
The slides of the presentation are available here.
About the speaker
Pam Dheri is a Third-year JD student in the English Common Law Program at the University of Ottawa.