[hinkley]

I guess that depends on whether you consider this a sociology experiment or white hat work.

I'm not sure that I agree that sociology experiments have 'informed consent' the way you appear to be thinking of it. Yes, you know you're in an experiment, but if you know what the experiment actually is, then your reactions are not authentic and you skew the results (which always makes me wonder about clever people in experiments).

In white hat stories, it's not always the case that everyone knows ahead of time, but 'enough' people know. Those who do know bear part of the responsibility of ensuring that things don't 'go too far', and they give organizational consent but not personal consent. Although I confess that OSS might be a little fuzzy here because I didn't sign anything when I started. You can't tapdance around informing me by pointing to some employment agreement.

[tmotwu]

You are free to disagree. Obviously, not every scenario can be navigated using an arbitrary policy for conduct, which was what clearly happened here. 'Informed consent' in the context of cybersecurity research is described in the Menlo Report [1].

And fyi, not all white hat stories are clean in their approaches, that in itself remains a controversial topic for another discussion. Furthermore, employees in an organization are under a different set of contractual obligations, full of caveats, to their employers. In some ways, they've already "consented" to specific bare minimums(white-hat can be framed as security awareness training required in your job role).

Open source contributors and reviewers are individual third party actors. No one has established any tolerance limits. So "enough" people doesn't really apply here because no one was made the arbiter source to decide that.

[1] https://www.dhs.gov/sites/default/files/publications/CSD-Men...