I accept with basically no questions that the announcement was coordinated to enable a stock-shorting scheme. You might be interested to know: this isn't the first time that's happened. I don't care. I don't think these stock-shorting schemes work. I agree with Matt Levine: attempts to profit from stock declines are far from the worst things people can do with vulnerability research --- for instance, they could collude with vendors to withhold disclosure for months or years, which is something that happens.
Where I have problems:
* When AMD fanatics try to spin the confusion about the story into a claim that CTS-Labs didn't find anything, which we know now to be false.
* When anybody reacts to the confusion by announcing to Hacker News that there are immutable norms of vulnerability disclosure that were broken in this case, especially when those supposed norms are false and most especially when they assert obligations researchers have to vendors.
I don’t even have a problem with shorting. It’s fair game, and a company’s bug bounty should reflect what they stand to lose by not paying top dollar to preempt exactly that. Any talk about the company being “entitled” to anything is BS. If someone had a vulnerability that would get them access into anyone’s Dropbox as their IPO rolls out.. they’ve earned it.
I just think if that’s your plan, you best not be bluffing and had better have something really good up your sleeve. I do have a problem with overstating your case and spreading FUD to try to make a quick buck off of at best B+ attempt.
I accept with basically no questions that the announcement was coordinated to enable a stock-shorting scheme. You might be interested to know: this isn't the first time that's happened. I don't care. I don't think these stock-shorting schemes work. I agree with Matt Levine: attempts to profit from stock declines are far from the worst things people can do with vulnerability research --- for instance, they could collude with vendors to withhold disclosure for months or years, which is something that happens.
Where I have problems:
* When AMD fanatics try to spin the confusion about the story into a claim that CTS-Labs didn't find anything, which we know now to be false.
* When anybody reacts to the confusion by announcing to Hacker News that there are immutable norms of vulnerability disclosure that were broken in this case, especially when those supposed norms are false and most especially when they assert obligations researchers have to vendors.