Hedge funds think it's a great idea. What about security researchers?
A version of this post originally appeared in the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter.
Everyone agrees bug bounties, whereby companies pay hackers to tip them off about vulnerabilities, are a good idea. But now professional investors want to get in on the action, which raises hard questions about whether this is a clever market strategy that promotes security — or just sort of sleazy.
The issue became big news after a short-seller firm, Muddy Waters, announced this month that St. Jude’s medical devices had cyber vulnerabilities. The firm is poised to make money after St. Jude’s STJ stock dropped over 5% on the news. According to a Bloomberg report, this triggered off a frenzy of investor interest that could kick off a new strategy that goes like this: “Find a company or industry that is adopting Internet-connected devices, check whether the gadgets are hackable, place your trades and publish the research.”
St. Jude’s is not exactly happy about being the guinea pig for this investment strategy: It is suing Muddy Waters, saying its announcement was false and defamatory. Meanwhile, the U.S. Food and Drug Administration says it is looking into the vulnerability claims (Muddy Waters told the agency about the claims before going public with them).
While the hedge fund crowd is tantalized by the idea of a new high yield investment strategy, the cyber-security community may have second thoughts. If this strategy of short-selling cyber victims catches on, will this create perverse incentives that result in longer lag times before problems are patched? Or will the specter of short sellers just provide another incentive for companies to take their security more seriously?
There is also an “ick” factor. Recall how the Pentagon, after 9/11, proposed creating a futures market to predict terrorist attacks. It was a sound idea from an economics perspective, but popular revulsion meant it was never implemented. It’s likely some people will feel the same way about funds that seek to make money off cyber catastrophes.
It’s too soon to say for now if the Muddy Waters model will catch on, but we can expect to hear more about this in the future.