One security research company is taking a controversial approach to disclosing vulnerabilities: It’s publicizing the flaws as a way to tank a company’s stock.
The security firm, MedSec, made news on Thursday when it claimed that pacemakers and other health care products from St. Jude Medical contain vulnerabilities that expose them to hacks.
However, MedSec is also cashing in on the disclosure by partnering with an investment firm that’s betting against St. Jude Medical’s stock.
The whole affair is raising eyebrows around the security community. It may be the first time someone has tried to get compensated for discovering vulnerabilities by shorting a stock, said Casey Ellis, CEO of Bugcrowd, a bug bounty platform.
That approach raises ethical issues because MedSec first disclosed the problems to the investment firm instead of to St. Jude's, which might have fixed them if it knew.
“I think this could absolutely put patients in harm’s way,” said Josh Corman, director of the Cyber Statecraft Initiative at the Atlantic Council think tank.
Raising awareness or a cash grab?
St. Jude Medical has dismissed Medsec's allegations as untrue. On Friday, the company issued a lengthy statement pointing to what it called flaws in the research claims.
Still, St. Jude Medical’s stock has fallen by about 5 percent since the vulnerabilities were made public.
MedSec has been defending its actions. The Florida-based company has spent the last 18 months looking at security flaws in medical devices across the major manufacturers.
“St. Jude Medical stood out, far and away, as severely deficient when it comes to security protections," CEO Justine Bone said in a Bloomberg interview.
But Medsec said it didn't tell St. Jude Medical because the company has a history of ignoring security issues, despite past regulatory action.
“We felt notifying the company would simply give it a chance to prepare its ‘messaging’ in an effort to sweep this under the rug,” MedSec said in an email.
However, the security firm didn’t do its research for free. Muddy Waters Capital is the investment firm that has shorted St. Jude Medical’s stock. It’s paying both a licensing fee and forwarding profits from its investments to MedSec as compensation for the research.
“Of course, we are looking to recover our costs here,” Bone said in the Bloomberg interview.
Unintended side effects
Despite MedSec’s claims, not everyone agrees with the company’s approach. Some have even called it dangerous and fear that hackers may now target products from St. Jude Medical.
“How disclosure happens is critical,” Corman said. “If we bring too much attention to these vulnerabilities, adversaries may want to target them.”
Sign up for CIO Asia eNewsletters.