For better or worse, a security firm’s attempt to cash in on software bugs — by shorting a company’s stock and then publicizing the flaws — might have pioneered a new approach to vulnerability disclosure.
Last August, security company MedSec revealed it had found flaws in pacemakers and other healthcare products from St. Jude Medical, potentially putting patients at risk.
However, the controversy came over how MedSec sought to cash in on those bugs: it did so, by partnering with an investment firm to bet against St. Jude’s stock.
Is this a good development or another litigation nightmare that will consume resources and deter innovation? Given that companies find critical flaws and never disclose (or even fix) them, is the legal system and effecting stock values a reasonable remedy?
This is the first instance of clearly explosive trend. One security researcher said “Every single hedge fund has reached out to me.”