[Cisspstudy] preambles questions

[An.Dang at do.treas.gov]

I have a few questions that are in the "gray area" of things.  I have the answers (maybe) but want to know what the group thinks.

Using ISC(2) preambles as guides, answers these questions:

1) A visiting professor is assigned to work in a university computing center.  He found a hole in a financial transaction program that would enable one to collect students' social security numbers, last names, and other personally identifiable information.  He quietly collected the information into a computer file and gave the file to the system administrator on his last day.  
a) The professor was unethical.  He should have disclosed the hole right away.
b) There is nothing unethical with what he did.  He did not give the information to anyone else.
c) Though he did nothing unethical, the professor should have disclosed the information because ISC(2) preambles stated responsibility to the public first.
d) None of the above.  ISC(2) ethics were observed.

2) An analyst for an anti-virus software company is assigned to test a new product.  He developed an automated program to generate multiple instances of a computer virus with varying signatures. He wants to use it to test the new anti-virus software the company is going to publish.
a) He should not use it.  It is illegal to create virus.
b) There is nothing wrong with using it since it is contained in a test lab and would never get out to the Internet.
c) It is unethical to develop something that would potentially harm the public.
d) It is part of his job.  It is completely ethical.