The way it’s supposed to work, white hat security researchers find vulnerabilities and report them to the offending company giving that company time to provide a patch before the vulnerabilities are published. It is what “good guys” do.
Cybersecurity company Medsec took a different path. After discovering vulnerabilities in St. Jude Medical’s pacemakers and defibrillators, they approached investment firm (and appropriately named) Muddy Waters with a plan to short St. Jude stock ahead of releasing a report on the company’s security issues. Medsec claims that St. Jude has known about their security issues for a long time, but had done nothing about them. Although their partnership with Muddy Waters had a financial gain element, Medsec claims that releasing the report publically with the intent on affecting St. Jude stock and potentially jeopardizing an acquisition by Abbott Laboratories was a financial cudgel meant to spur St. Jude to do something finally about its cybersecurity issues. So, is Medsec one of the good guys?
Legally, Medsec has no obligation to disclose anything to St. Jude. Morally, they are in a grey area as the public benefits from knowing St. Jude products have security issues. But announcing the vulnerability before St. Jude has time to fix the security issues provides the “bad guys” with time to exploit these security vulnerabilities, which can lead to injury or death. The public isn’t really in a better place. Because St. Jude’s stock dropped 10 percent the day the report was issued, Medsec and Muddy Waters are certainly in a better place.
Does this portend a new trend? Will security researchers take a similar tact in oil & gas and petrochemical where the stakes are potentially higher? Will markets react the same way? If companies like Medsec can show demonstrable financial gains that exceed anything available from corporate bug bounties, then yes we will see more white hats turn grey and take similar actions. Whether oil & gas or petrochemical companies will suffer similar fates, the future is uncertain.
What are your thoughts on this grey area?