Doug Lhotka

Technical Storyteller

Opinions and commentary are mine, and do not reflect those of my employer.

(C) Copyright 2019-2023
Doug Lhotka.
All Rights Reserved.
Use of text, images, or other content on this website in generative AI or other machine learning is prohibited.

Security Vulnerability Research = Stock Manipulation?

By

Last week a group of “security researchers” teamed up with an investment firm in order to make money shorting the stock just before releasing a report on alleged vulnerabilities.  Let’s look at this novel business model.  Disclaimer:  I am not an attorney.

Anyone doing this needs to be very sure of their conclusions before trying to monetize a security vulnerability in this way.  If the vulnerabilities turn out to be inflated or inaccurate (and that’s currently in dispute), then they’d likely find themselves on the wrong side of both shareholder and company lawsuits for loss and defamation, as well as an SEC investigation for stock manipulation.   That’s a whole lot of hurt – the SEC is not an agency I’d like to cross.

But if we assume that the vulnerabilities reported are real and truly significant, we’re into Muddy Waters (the name of the investment firm) for sure.   Assuming that the researchers had no insider knowledge, and didn’t steal or otherwise illegally gain the information, is it stock manipulation?

Is this any different from someone watching the trucks going in and out of Foxconn to estimate how many new iPhones Apple will sell, and basing stock purchases off that research?  Or any different from someone shorting orange juice futures because they developed a more accurate weather forecast algorithm than is generally available?  If they stole a report (Trading Places anyone?), or were given insider information by a tipster, it certainly is.  But for gathering the information themselves?  I’ll be very interested to see where the SEC draws the lines.

In any case, if any of the researchers are members of ISC2 (and I have no way of knowing), they’re probably on thin ice.  The Code of Ethics includes:

  • Protect society, the common good, necessary public trust and confidence, and the infrastructure.
  • Act honorably, honestly, justly, responsibly, and legally.
  • Provide diligent and competent service to principles.
  • Advance and protect the profession.

I think they’d be hard pressed to justify their actions under that canon.  Maybe I’m just old fashioned, or an overgrown Eagle Scout, but this strikes me as out-of-bounds ethically.  Creative yes, but unethical.  Now we wait to find out if it’s also illegal.