> I would argue that first requires investigation.
Why do you think that enough of an investigation hasn't been performed in order to understand culpability?
Thay already know what happened and want to learn why it was approved.
That was what their comment said.
Take a look at the actual PDF from the researchers, "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits" [1]
The prof overseeing the paper clarified that they initially did not seek IRB approval, and then received an IRB exemption [0]. I'd want to ask the IRB why they approved that, for starters. Maybe because they'd already done the research and hoped it would blow over, vs. the controversy of rejecting it when they'd already done the work?
Honestly I’m guessing this kind of situation didn’t match any existing policy for the review board and a few people made a bad call.
We need to make sure to be supportive of people making mistakes and learning from them instead of raising pitchforks for every misstep. Failure is never completely avoidable and responding properly to failure is way more important than never failing.
From my reading of the threads in the kernel mailing lists, it seems the IRB thought "is it bioscience with experimentation on live animals? No? Then it's all fine".
Yeah, especially considering that the IRB said the research was out of scope (specifically that it was not "human subject research") rather than indicating that it was ethical. Kind of like the distinction between a court not having jurisdiction and a court declaring you didn't break any laws.
I think they misrepresented the project so that it would be classified as “not human research”. It’s unclear whether the misrepresentation was intentional (to obtain the exemption) or unintentional (they were genuinely unaware of the human impact).
> We will investigate the research method and the process by which this research method was approved, determine appropriate remedial action, and safeguard against future issues, if needed.
The "if needed" tells me they aren't sure what if anything is wrong yet. It would surprise me if they have done that much of an investigation in the few hours since they might have learned about this beyond scheduling meetings with involved parties and compiling relevant documents in a folder.
I think they are at the point of having a bunch of angry emails and a few news articles from certain publications. I don't blame them wanting a bit more than that before saying anything.
They probably just have a bunch of angry emails to go on at this point and haven’t looked in detail at anything else.