Ethical Question in Muddy Waters: Security Reporting as a Weapon

This week I am wrestling with an ethical question. I was contacted by a representative of a security company about doing some business together. I recognized the name of the company but I could not place it. Eventually I came to realize that the security company was involved in a security attack for profit against a company I had worked for previously. I am not going to say any of the company names in this posting, however, everything is public information. Here is a link to a news story about how an investment company shorted the stock while revealing the security flaw. The stock did drop by 5% so I assume the investment company made some money.

Mr. Muddy Waters himself.

So, dear readers, the ethical question is: should I work with this security company?

I thought about this on my run today. At the beginning of the run, I was like "Hell no! I should not work with these folks. Security reporting for profit & security as a weapon is low-down, mean and dirty." However, towards the end of the run I started to think that as a result of this report, there were benefits. The benefits were that the company I worked for made processes improvements and I personally learned how to make safer and more secure products.

So, let's breakdown the two sides to the issue.

Hell no! Security reporting for profit is low-down mean and dirty.

The first thing I want to say is that I don't have any insider knowledge about the validity of the security issues reported. The issues were in another group in another part of the country and the issues were not related to any product I had developed. Later, an independent lab at the University of Michigan said that the originally reported findings were overblown. There were lawsuits around the issue too. In the end the FDA did issue a warning letter to the medical device manufacturer. My opinion is that some of the issues were real but overblown in the original report. That is definitely one problem with using security reports as a way for profit like the investment company did. The emphasis is not on true reporting. The emphasis is on making it sound as bad as possible to make the stock price drop.

However, did the security company act inappropriately? According to this article the security company decided to report the security flaws to the investment company (for payment) rather than to the medical device company because they thought that the medical device company would sweep the issue under the carpet.

In my opinion, this only rings partially true.

The appropriate way to handle something like this is using coordinated vulnerability disclosure. The security company should have contacted the medical device company or an independent security disclosure group and reported the issue. The security company could then give a timeframe for mutual disclosure. If the medical device company wanted to refute the original findings, they could, but the security company would still go forward with the security announcement on the timeframe. The medical device company would likely have put the best explanation forward but there is no way they could have swept the story under the carpet. The other advantage of coordinated vulnerability disclosure is that the medical device company might have been able to develop a fix and release it at the same time as the disclosure. This could have prevented anyone malicious from using the exploit.

But there were some benefits. Some good came out it.

Any action that results in safer medical products must be good, right?

Don't get me wrong I appreciate that the security company found the issues and reported them. Transparency is always good when dealing with security issues. For sure, the way that the issue did come to light caused a strong reaction within the company. This strong reaction ultimately benefited the company, in my opinion, and it benefited me by causing me to learn.

If the security company had opted for coordinated vulnerability disclosure would the same strong reaction have occurred? The answer can only be speculative, however, I tend to think that the same strong reaction would have occurred. I believe the coordinated vulnerability disclosure would have caused the same investigation by the FDA. This regulatory action or potential regulatory action is very motivating for a medical device company. Likely the same process improvements and learnings would have resulted. My learning would also likely have occurred.

Conclusion

Please. There are no ethical conclusions in a post-modern world.