=================== VTC Code of Conduct =================== (Status: June 2001) This code adresses those members of staff and students working in projects at Virus Test Center of Faculty for Informatics at Hamburg university. This code is relevant for any research or other work related with viruses and other forms of malicious code. The purpose of this code is to protect persons inside and outside VTC laboratories as well as all technical equipment, esp. including hardware, operating and network systems, databases, test environments and application software. Moreover, this code shall inhibit (as far as possible) any side-effect of research and work with malicious code on any other person or technical equipment outside VTC. This code also applies to students working in courses and exercises concerned with teaching, learning and training methods of Reverse Engineering. In these projects, additional requirements regarding the protection of Intellectual Property of systems or products in question apply (not listed in VTC CoC). Rules: ------ R.01) Be always aware that work with viruses and other forms of malicious code bares a significant risk. Be therefore always prepared for recovery actions. R.02) Always do your best to properly separate your working environment (hardware, systems and system software, network, application programs, databases, tools) from all other environments which is not needed to pursue your goal. R.03) Follow VTC rules for separation of networks and use related techniques (local hubs and switches to connect relevant clients and servers, and to effectively disconnect any other component). Never run any experiment with viruses or other forms of malicious code with ANY connection to ANY other local or global network (Internet). R.04) Always work with best possible care. Always document any relevant step or procedure, to support analysis of failed experiments. R.05) Any form of acquisition of viruses or other forms of malicious software for experimental purposes (e.g. via Internet) is only permissible for actions related to VTCs mission. This esp. includes analysis of emerging malicious threats as well as developments of methods, tools and and software to counteract related threats. R.06) It is the privilege and duty of VTC management to properly maintain a collection of viruses on different platforms as well as of other forms of malicious software. R.07) Viruses and other forms of malicious codes may NEVER be transferred (in ANY form, whether executable or not) to anybody outside your project except with explicit agreement of VTC management. R.08) Generally, transfer of viruses and malicious code or essential technical information about viruses and malicious code is only permissible to a given expert with known or assured professional knowledge, when s/he convincingly argues that s/he needs that specific code to pursue her/his work in helping to protect others from viral or malicious risks, and provided that there is sufficient (positive) evidence that the related expert is trustworthy. R.09) Never work with any person on viruses or malicious code when you can NOT be sure that s/he qualifies for such work (see R.08). R.10) Never work with authors of viruses or malicious code (it is permissible to interrogate such authors if this doesnot help them in pursuing their malevolent work). R.11) Never work with persons eXchanging viruses or malicious code (VXers). R.12) Always try to inform the public about risks arising from writing and disseminating viruses and any other forms of malicious code. Violations of Rules, Sanctions: ------------------------------- It is the duty of VTC management to analyse any disregard or violation of these rules. Any related analysis shall not only collect and assess any relevant aspect but also give any person a fair chance for presenting her/his views. Sanctions shall be adequate, and they may range from warning to exclusion from VTC work.