ZERO DAYS, ONE OBLIGATION

This thesis set out to apply the moral principle of utilitarianism to the policy problem associated with zero-day vulnerabilities. These vulnerabilities can be understood as errors in coding that are potentially exploitable and unknown to either the creators or users of the software. If attack vectors related to zero-day vulnerabilities are completely dependent upon correctable coding errors, what should policy require when the U.S. government detects a zero-day vulnerability? Should it be disclosed publicly so it can be patched or restrict knowledge of it so it can be weaponized? This thesis applied revisionist John Stuart Mill’s unique and nuanced description of utilitarianism to the Vulnerabilities and Equities Policy and Process (VEP) to evaluate what aspects of the policy fulfilled Mill’s moral code and what areas could be improved. The improvement recommendation is made on strictly moral terms. This thesis acknowledges while moral policy has undeniable benefits, there are times where the moral can come at the expense of the strategic, and national interests can be compromised. Ultimately, much like the VEP, this thesis recommends balance.
http://archive.org/details/zerodaysoneoblig1094562227
Lieutenant, United States Navy
Approved for public release; distribution is unlimited.