For better or worse, a security firm’s attempt to cash in on software bugs — by shorting a company’s stock and then publicizing the flaws — might have pioneered a new approach to vulnerability disclosure.
Last August, security company MedSec revealed it had found flaws in pacemakers and other healthcare products from St. Jude Medical, potentially putting patients at risk.
However, the controversy came over how MedSec sought to cash in on those bugs: it did so, by partnering with an investment firm to bet against St. Jude’s stock.
Is this a good development or another litigation nightmare that will consume resources and deter innovation? Given that companies find critical flaws and never disclose (or even fix) them, is the legal system and effecting stock values a reasonable remedy?
This is the first instance of clearly explosive trend. One security researcher said “Every single hedge fund has reached out to me.”
We have always told the drug companies that we would not pressure them and create a slippery slope where prices they negotiate with us for poor countries would inevitably lead to similar prices in rich countries.
[...] If we do try to do something in this area, we suggest that we approach the innovator companies that can currently sell products in the US with the idea of making donations to help clear the ADAP lists. For a variety of reasons, the companies will likely favor a donation approach rather than one that erodes prices across the board.
[...] I would guess that they would also likely favor a solution that involved their drugs rather than an approach that allowed generic drugs from India to flood the US market at low prices or one that set a precedent of waiving patent laws on drugs.
The Macintosh is Xerox technology at its best.