Your client/customer asks you to remove an embarrassing finding from your pentest/assessment report. Do you?
You find your client/customer is breaking the law (such as not disclosing a big breach as required by law). Do you contact the police?
You've signed an NDA, but then want to talk to the press about it, keeping your name and customer's name anonymous.
Building tools that can be used for both (evil) attack and (good) defense:
An obvious fraud (e.g. Gregory Evans) promotes himself and appears often on TV. Should you point this out, or ignore it?
You see a URL ending in ?articleId=473. Do you increment it to 474 in order to see what happens? Do you script this to grab all sequential article IDs? Note: I'm asking the 'ethical' question here, not debating the 'legal' question.
Is breaking the law inherently unethical? You live in a country where encryption is outlawed, do you help activists encrypt their stuff?
This recent incident (Kasperky outing a U.S. malware campaign against ISIS) brings up a lot of ethical questions:
When @d0tslash decided to disclose DJI (the drone company) vulns rather than accept the $30k bribe to cover them up.
When is it bribery? The salesperson invites you to an exclusive RSAC party, pays for dinner, takes you golfing, gives you $10k under the table in order to choose their product? A lot of you are getting drunk on free booze at RSAC vendor parties right now.