I believe in full but responsible vulnerability disclosure, and really appreciate researchers that spend the time and effort to find security flaws in products so the industry can fix them. The only caveat being, I also believe researchers should privately disclose these flaws first, and give the vendor sufficient time to fix them before releasing the full details. The intention isn’t to protect the vendor, rather to protect the customers that use the affected product. Today’s video covers an ethical dilemma over one research group’s disclosure of vulnerabilities in a medical device. Watch the video for the details, and let me know your thoughts on the matter.
Episode Runtime: 4:06
Direct YouTube Link: https://www.youtube.com/watch?v=l-AkwldvXOo
- Medical device vulnerability disclosure creates ethical dilema – Computer World
- St. Jude Medical’s initial response to the disclosure – SJM
- MedSec facing a lawsuit over the disclosure –Computer World
- St. Jude’s release about the lawsuit – SJM
- An MIT article on the incident – MIT Tech Review
— Corey Nachreiner, CISSP (@SecAdept)
Marcelo Rizzo says
It could be argued that shorting the stock amounted to insider trading.
Corey Nachreiner says
In my chats with folks at at work, others pointed out that as well… It certainly feels like that is some way. However, legally I think insider trading applies to those that actually work at the company in question. They have access to info that the company should only know. In this case, it was an outsider that new of something no one else did (since they were the ones planning to essentially cause it). If you watch The Big Short, a movie about the US mortgage crisis, the analyst who was the only one to really recognize that the market was about to implode also used that information to short the market. Frankly, I feel like there is ethical questions there, but he technically didn’t do anything illegal by using the information to profit.
That’s why this is a hard question. I don’t like what MedSec did in shorting the stock, but I don’t think it technically qualifies as insider trading, since those researchers aren’t part of the company in question.