More on a situation I noted yesterday. This approach to using/monetizing vulnerability discoveries is downright scary…. but will it work to improve security? Here’s one of your must-reads for today.
Jordan Robertson and Michael Riley report:
When a team of hackers discovered that St. Jude Medical Inc.’s pacemakers and defibrillators had security vulnerabilities that could put lives at risk, they didn’t warn St. Jude. Instead, the hackers, who work for cybersecurity startup MedSec, e-mailed Carson Block, who runs the Muddy Waters Capital LLC investment firm, in May. They had a money-making proposal.
MedSec suggested an unprecedented partnership: The hackers would provide data proving the medical devices were life-threatening, with Block taking a short position against St. Jude.
[…]
MedSec is taking a path that some frustrated security experts believe is the only way to create fundamental change: find a way to impose significant monetary penalties on companies it believes are negligent when it comes to protecting consumers. But the startup is doing so in ways that violate some of the most basic standards of ethical security research and in an industry where the stakes are especially high.
Read it all on Bloomberg.