The University of Minnesota (UMN) got into trouble this week for doing a study where they have submitted deliberately vulnerable patches into open-source projects, in order to test whether hostile actors can do this to hack things. After a UMN researcher submitted a crappy patch to the Linux Kernel, kernel maintainers decided to rip out all recent UMN patches.
Both things can be true:
- Their study was an important contribution to the field of cybersecurity.
- Their study was unethical.
By asking the top boss if it's okay if you lie to their team, a la an authorized penetration test.— Random of Eddie (@random_eddie) April 21, 2021
In this case that might still not be ethical, because while the top guy can answer for the /project/ he can't answer for the other /people/, who are volunteers and not employees.