For better or worse, a security firm’s attempt to cash in on software bugs — by shorting a company’s stock and then publicizing the flaws — might have pioneered a new approach to vulnerability disclosure.
Last August, security company MedSec revealed it had found flaws in pacemakers and other healthcare products from St. Jude Medical, potentially putting patients at risk.
However, the controversy came over how MedSec sought to cash in on those bugs: it did so, by partnering with an investment firm to bet against St. Jude’s stock.
Is this a good development or another litigation nightmare that will consume resources and deter innovation? Given that companies find critical flaws and never disclose (or even fix) them, is the legal system and effecting stock values a reasonable remedy?
This is the first instance of clearly explosive trend. One security researcher said “Every single hedge fund has reached out to me.”
"In total, the vulnerabilities investigators found were so severe and so trivial to exploit, Epstein noted that “anyone with even a modicum of training could have succeeded” in hacking them. An attacker wouldn’t have needed to be inside a polling place either to subvert an election... someone 'within a half mile with a rudimentary antenna built using a Pringles can could also have attacked them."
SourceForge, the code repository site owned by Slashdot Media, has apparently seized control of the account hosting GIMP for Windows on the service, according to e-mails and discussions amongst members of the GIMP community—locking out GIMP's lead Windows developer. And now anyone downloading the Windows version of the open source image editing tool from SourceForge gets the software wrapped in an installer replete with advertisements.
"Luke, I'm yer father, eh. Come over to the dark side, you hoser." -- Dave Thomas, "Strange Brew"