• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Ethical Vulnerability Disclosure – Daily Security Byte

September 8, 2016 By Corey Nachreiner

I believe in full but responsible vulnerability disclosure, and really appreciate researchers that spend the time and effort to find security flaws in products so the industry can fix them. The only caveat being, I also believe researchers should privately disclose these flaws first, and give the vendor sufficient time to fix them before releasing the full details. The intention isn’t to protect the vendor, rather to protect the customers that use the affected product. Today’s video covers an ethical dilemma over one research group’s disclosure of vulnerabilities in a medical device. Watch the video for the details, and let me know your thoughts on the matter.

Episode Runtime: 4:06

Direct YouTube Link: https://www.youtube.com/watch?v=l-AkwldvXOo

EPISODE REFERENCES:

  • Medical device vulnerability disclosure creates ethical dilema – Computer World
  • St. Jude Medical’s initial response to the disclosure – SJM
  • MedSec facing a lawsuit over the disclosure –Computer World
  • St. Jude’s release about the lawsuit – SJM
  • An MIT article on the incident – MIT Tech Review

— Corey Nachreiner, CISSP (@SecAdept)

Share This:

Related

Filed Under: Security Bytes Tagged With: Infosec news

Comments

  1. Marcelo Rizzo says

    September 8, 2016 at 4:39 pm

    It could be argued that shorting the stock amounted to insider trading.

    Reply
    • Corey Nachreiner says

      September 8, 2016 at 4:50 pm

      In my chats with folks at at work, others pointed out that as well… It certainly feels like that is some way. However, legally I think insider trading applies to those that actually work at the company in question. They have access to info that the company should only know. In this case, it was an outsider that new of something no one else did (since they were the ones planning to essentially cause it). If you watch The Big Short, a movie about the US mortgage crisis, the analyst who was the only one to really recognize that the market was about to implode also used that information to short the market. Frankly, I feel like there is ethical questions there, but he technically didn’t do anything illegal by using the information to profit.

      That’s why this is a hard question. I don’t like what MedSec did in shorting the stock, but I don’t think it technically qualifies as insider trading, since those researchers aren’t part of the company in question.

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • An Update on Section 230

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • 3CX Supply Chain Attack
  • The NSA’s Guidance on Securing Authentication
  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use