I believe in full but responsible vulnerability disclosure, and really appreciate researchers that spend the time and effort to find security flaws in products so the industry can fix them. The only caveat being, I also believe researchers should privately disclose these flaws first, and give the vendor sufficient time to fix them before releasing the full details. The intention isn’t to protect the vendor, rather to protect the customers that use the affected product. Today’s video covers an ethical dilemma over one research group’s disclosure of vulnerabilities in a medical device. Watch the video for the details, and let me know your thoughts on the matter.
Episode Runtime: 4:06
Direct YouTube Link: https://www.youtube.com/watch?v=l-AkwldvXOo
- Medical device vulnerability disclosure creates ethical dilema – Computer World
- St. Jude Medical’s initial response to the disclosure – SJM
- MedSec facing a lawsuit over the disclosure –Computer World
- St. Jude’s release about the lawsuit – SJM
- An MIT article on the incident – MIT Tech Review