Hippocratic Oath for Hackers
Overview
As a professional hacker dedicated to advancing cybersecurity and safeguarding human life, I pledge to uphold the highest ethical standards and comply with applicable laws and regulations in all my endeavors. Guided by globally recognized principles, legal frameworks, and industry best practices, I commit to protecting privacy, ensuring system security, and fostering public trust in the cybersecurity of medical devices and critical infrastructure.
This initiative was originally created by I Am The Cavalry and is updated annually with regard to updated global regulations and policies.
Protection of Privacy and Personal Data
- Commitment to Ethical Handling of Data: I will safeguard privacy and personal data in accordance with legal, ethical, and societal expectations.
- Compliance with Jurisdictional Privacy Laws: I will adhere to laws such as HIPAA (U.S.), the California Consumer Privacy Act (CCPA), the GDPR (EU), the Personal Information Protection Law (PIPL, China), the Privacy Act 1988 (Australia), and emerging data-protection laws in the Middle East, including the UAE Federal Data Protection Law and Bahrain's Personal Data Protection Law.
- Alignment with International Standards: I will align with frameworks like ISO/IEC 27701 for privacy information management, ensuring robust controls for handling personal data.
Security and Resilience of Critical Systems
- Ensuring Safety and Functionality: I will prioritize security and resilience in healthcare and critical infrastructure systems to protect public welfare and national security.
- Compliance with National Cybersecurity Laws: I will adhere to the Cybersecurity Information Sharing Act (CISA) in the U.S., the Network and Information Security Directive (NIS2) in the EU, the Cybersecurity Act in Singapore, and the Cybersecurity Management Guidelines in Japan.
- Global Standards Alignment: I will follow ISO/IEC 27001 for information security management and ISO/IEC 80001 for medical device networks, ensuring the confidentiality, integrity, and availability of information.
Responsible Vulnerability Disclosure
- Ethical Reporting: I commit to disclosing vulnerabilities responsibly, prioritizing collaboration and public safety.
- Adherence to Disclosure Protocols: I will comply with coordinated vulnerability disclosure (CVD) frameworks and report issues in alignment with guidelines from CISA (U.S.), the European Union Agency for Cybersecurity (ENISA), and the National Cybersecurity Authority (NCA) in Saudi Arabia.
- International Cooperation: I will respect the Budapest Convention on Cybercrime and collaborate with global stakeholders to combat malicious exploitation.
Securing Medical Devices and Healthcare IT Systems
- Commitment to Patient Safety: I pledge to secure medical devices and IT systems by addressing vulnerabilities transparently and effectively.
- Compliance with Regulatory Guidelines: I will adhere to U.S. FDA cybersecurity guidelines, the Medical Device Regulation (MDR) in the EU, and relevant standards in other jurisdictions to ensure the safety and effectiveness of medical devices.
- Collaboration with Key Stakeholders: I will engage with entities like the Biohacking Village Device Lab, manufacturers, and regulators to mitigate risks while promoting innovation.
Protection of Sensitive Data
- Respect for Confidentiality: I will uphold the highest standards of confidentiality for sensitive data.
- Adherence to Data Protection Frameworks: I will follow ISO/IEC 27018 for cloud privacy and security, ensuring the confidentiality of sensitive health and genetic information.
- Transparency and Accountability: I will maintain transparency about data use and ensure data breaches are handled in compliance with laws such as the GDPR (EU) and the Personal Data Protection Law in Bahrain.
Advancement of Public Welfare and Global Cybersecurity
- Collaboration Across Borders: I commit to promoting global cybersecurity efforts to protect health and critical infrastructure.
- Engagement with International Standards: I will align with ISO 31000 for risk management and advocate for comprehensive cybersecurity frameworks in regions like the Middle East, supporting initiatives such as the Dubai Cyber Security Law.
- Fostering Trust: Through initiatives like the Biohacking Village, I will build trust between security researchers, healthcare providers, and regulatory bodies.
Timely and Responsible Reporting
- Commitment to Prompt Action: I will act swiftly and responsibly in addressing cybersecurity issues.
- Adherence to Reporting Requirements: I will report vulnerabilities in line with timelines specified by authorities such as the FDA (U.S.), the Cyber Security Agency (CSA) in Singapore, and the NCA in Saudi Arabia.
- Regulatory and Manufacturer Collaboration: I will collaborate with manufacturers under coordinated disclosure policies and engage with regulators when required.
Pledge of Accountability
By taking this oath, I affirm my unwavering commitment to ethical hacking, compliance with legal frameworks, and the protection of human life. My work will prioritize privacy, security, and the public good, ensuring patient safety and resilience in critical systems.
References — Frameworks & Regulations
- Health Insurance Portability and Accountability Act (HIPAA) — U.S. Dept. of Health and Human Services
- California Consumer Privacy Act (CCPA), 2018
- General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679
- Personal Information Protection Law (PIPL) — China, 2021
- Privacy Act 1988 — Australia
- UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data
- Bahrain Personal Data Protection Law (Law No. 30 of 2018)
- Cybersecurity Information Sharing Act (CISA), 2015
- Network and Information Security Directive (NIS2) — Directive (EU) 2022/2555
- Singapore Cybersecurity Act, 2018
- Japan Cybersecurity Management Guidelines — METI
- Budapest Convention on Cybercrime — Council of Europe, 2001
- ISO/IEC 27001 — Information Security Management
- ISO/IEC 27701 — Privacy Information Management
- ISO/IEC 80001 — Risk Management for Medical IT Networks
- Dubai Cyber Security Strategy / Law
- FDA Cybersecurity Guidance for Networked Medical Devices
- Biohacking Village Device Lab
- National Cybersecurity Authority (NCA) — Saudi Arabia
