|
|
|
|
|
|
by jackgavigan
3589 days ago
|
|
|
Seeking to profit by short-selling a company's stock before revealing that their products have security vulnerabilities feels like a very grey ethical area to me. I'm mildly surprised it doesn't fall under insider trading. |
|
|
On the one hand, responsible disclosure, and immediate patching would be the ideal way forwards.
However, with a company that has a history of neglecting security, and with such severe possible consequences, speaking the language only language that businesses understand is sometimes the only way to make them pay attention.
Had they gone the "responsible" route with a CERT disclosure, the vulnerability would have been published 45 days later, and would presumably be exploitable (as St Jude doesn't seem to prioritise fixes).
As it is, we get a brief media shitstorm, and hopefully companies paying more attention to product security as a result.
What I'd love to see is responsible disclosure with teeth. Someone like the FDA imposing severe penalties for failure to patch security flaws, and rewarding responsible hackers who find vulnerabilities. This means we avoid the nasty area of effective blackmail, whilst hopefully making it likely the 'good' guys find the vulnerabilities first.