Who needs a bug bounty when you got this?

Questions and considerations on the recent shorting of a stock before disclosing the vulnerability

stock market down
Credit: Thinkstock

Does shorting a stock for profit signal a new trend in security research?

Bug bounties and programs to find and address security issues are on the rise. The bounty programs offer a way to coordinate efforts. They offer the potential of reward for those who discover and disclose. 

Bug bounties are an emerging marketplace. Some rewards are generous. Others draw criticism. One group took a different approach.  

They partnered with a financial firm to share their research. Then they shorted the stock of the company right before disclosing what they found. They profited when the stock dropped. 

They set their own payout. 

It’s not clear if they did anything illegal. The ethics of the approach is getting a lot of discussion.  

Why this is interesting now

Profiting on the insecurity of a company isn't new. Security folks have discussed this as a possible scenario for at least two decades. Three factors make this more interesting: 

  • The broad hype and awareness around security issues. 
  • The development of a semipublic marketplace for security testing and research. This draws more people into the effort in search of reward. 
  • The rise of cybercrime as an educated, organized, and disciplined force 

An isolated event or the start of a trend? 

Markets work on information. Those with more accurate, complete, and timely information are in stronger positions. They tend to reduce their risk while increasing their rewards. The classic 1987 movie Wall Street highlights the importance of information. And the dark side of obtaining information at any cost. 

The challenge of cyber security is a near complete lack of understanding. It's too new. That means incomplete, inaccurate, and far-from-timely information upon which to act. Most still get spun up over a breach - which is generally only a symptom. 

Focus on the pursuit of information. Consider this passage from the Reuters article: 

MedSec approached Muddy Waters about three months ago and the two struck a deal under which Block agreed to hire MedSec as a consultant, pay it a licensing fee for research and a percentage of any profits from the investment, Block told Reuters.

Research for profit. Not a new concept, but still different than what we’re used to. This isn’t a group of kids trying their hand at the stock market. It’s the partnering of research with the specialty of short-selling. Seems that someone found a way to get better, more timely information. 

How does it make you feel? 

Does the rise of ransomware hold any clues?

A few years ago, we dismissed ransomware as an enterprise threat. Riddled with mistakes and targeting home users, we figured it would fade away. Turns out that was akin to the startup concept of the minimum viable product (MVP). 

Now ransomware dominates the headlines. 

Is the partnering of security research with short selling a cause for concern? Worth exploring, too, is if this is a good thing. Does this provide an efficient forcing function? 

Of course, this might also signal an opportunity for criminals. Those bent on gathering information by any means. Seeking to manipulate companies, information, and markets for their own gain. 

Far from sounding an alarm, this strikes me as something to pay attention to. Then again, could be my economics background interested to see how this plays out. 

Are you preparing for these discussions? 

How are you working with your executive team and board to be ready if it happens to you? 

Sure, a hit like this could cause a temporary stock dip. But what if the disruption causes the loss of contracts? The broader implications signal an active need for officer and director involvement. 

Are they ready? 

When they need answers, do they turn to you? Are you valued for your leadership as much as your security expertise? Are they including you in these conversations? 

Are you ready? 

Now is the time to invest in proving your leadership. You board might need you sooner than they planned. 

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.