[got2surf]

Great point, I think the tech crowd may overestimate the cost of glitches, relative to everything else at play in a business.

I think the point I'm getting hung up on is that the bank's stock price could drop for two reasons: bad PR due to the glitch, and/or falling financials due to fraud perpetrated as part of the glitch. I can completely understand a hedge fund trading and making money off the bad PR. But if (hypothetically) the bank lost a ton of money by hackers liquidating user accounts or, worse, making leveraged bets [before everyone checked for that sort of thing ;)], and the hedge fund knew there was a reasonable chance that the malicious activity would occur based on the newly disclosed information, would they have liability there? (from the theft/fraud perpetrated against the bank, not the drop in stock price)

[downandout]

I believe that responsible disclosure is a courtesy to the vendor and its customers. Afaik, there is nothing in the law that requires it. Exploiting vulnerabilities like the one you are discussing here yourself certainly would be illegal, and you could possibly be implicated in a conspiracy if you disclosed the vulnerability solely to one person or group that you knew would exploit it (so "I told my Russian hacker friend about this..let's short the stock before he nails them with it!" would probably be a conspiracy case, whereas a press release or HN posting would not be).

But general public disclosure of a vulnerability, and/or trading on the anticipated effects of public disclosure, is not illegal. It likely won't win you friends in the IT community, but it falls short of an indictable offense.