The state of vulnerability disclosure took a weird turn last week after short-selling firm Muddy Waters disclosed alleged security holes in pacemakers and defibrillators produced by St. Jude Medical, a move that plunged the latter company’s stock by 5 percent.
In a report from the Reuters news service, Muddy Waters head Carson Block said the firm’s stock-tanking decision was prompted by vulnerability research from security firm MedSec, which has a financial arrangement with Muddy Waters.
St. Jude’s put out a statement calling bullshit, saying, “While we would have preferred the opportunity to review a detailed account of the information, based on available information, we conclude that the report is false and misleading.”
Vulnerability disclosure experts collectively scratched their heads over this story.
“Has (something like this) happened before? Probably,”Bugcrowd CEO and Founder Casey Ellis told SC Magazine. “Weev proposed exactly this model under Tro LLC a few years back. It’s not a new idea.” One the plus side, Ellis said, “These safety critical vulnerabilities will more than likely get fixed, and the medical device industry is on notice about reviewing and ensuring the cybersafety of those who depend on it.”
But, he worried, the move could be a setback in what has been a trend of better cooperation between vendors and researchers. “This is, by the very nature of the short, a combative action, the signals of which could set that back,” he told SC Magazine. “Hopefully that doesn’t happen.”
AlienVault Security Advocate Javvad Malik told The IDG News Service he empathized with researchers who were frustrated with the persistent vulnerabilities in medical devices, but that despite good intentions, “this can set a worrying precedent.” This could lead to security researchers prioritizing profit over proper vulnerability disclosure, he said.
The bug bounty trend has been huge for security. As a reporter a decade ago, I remember companies blasting researchers left and right for “irresponsible disclosure.” You don’t see as much of that anymore, and the culture of vulnerability disclosure has changed for the better. Let’s hope weirdness like this doesn’t spark the setback Ellis and Malik are rightly concerned about.