A trader looks over computer monitors as he works in the Cboe Volatility Index (VIX) pit on the floor of the Cboe Global Markets, Inc. exchange in Chicago, Illinois, U.S. (Photographer: Daniel Acker/Bloomberg)  

How Short Sellers Built A Business On Security Bugs

(Bloomberg) -- The message came on the morning of March 12 like a warning shot—or, as executives at Advanced Micro Devices Inc. might have seen it, a sucker punch.

In an email sent to the general security inbox maintained by the Santa Clara, Calif., chipmaker, an executive of a security company located on the other side of the world claimed to have discovered 13 critical vulnerabilities in AMD’s line of chips. The alleged flaws, which the sender described in detail, could allow an attacker to get into the most secure part of AMD’s chips, where passwords and other sensitive information are typically stored. Any network with the faulty AMD processors, the researcher claimed, would be in serious danger.

Under normal circumstances, the note, sent by CTS Labs, a six-person security startup in Tel Aviv, would hardly have created an emergency for an established chipmaker such as AMD. Under a practice known as responsible disclosure, security researchers inform companies of their findings in secret, allowing them 30 to 90 days, depending on the bug’s severity, to develop a patch before going public with the findings. A company may pay a modest reward, known as a bug bounty, if it judges a security company’s work to be particularly important.

But responsible disclosure is a custom, not a legal requirement, and one that CTS argues is unnecessary and outdated. The company’s business model involves researching security flaws at big hardware manufacturers, then peddling that research to short sellers, who can profit once the disclosure is public. For the business model to work, CTS can’t offer its targets grace periods. So instead of 90 days, the company gave AMD less than 24 hours.

The following day, March 13, CTS went public with its findings. It issued a news release directing people to a website, AMDFlaws.com, where it had posted a description of the vulnerabilities with dystopian-sounding names—Ryzenfall, Chimera, Masterkey, and Fallout. The security company had briefed journalists in advance.

The same day, a well-known short seller, Viceroy Research, published a blistering report titled AMD—The Obituary, contending that the flaws would force the chipmaker to file for Chapter 11 protection. AMD’s stock rose that day, but by early April it was down almost 20 percent. (Other chip stocks fell during the same period but not as sharply.) CTS says Viceroy isn’t a client, but it acknowledges having shared its research with other short sellers, one of whom may have tipped off Viceroy.

CTS’s tactics are unusual—and hugely controversial. “They’re serious guys in the security industry,” says Nimrod Ben-Em, the chief executive officer of Viral Security Group, another Israeli security company, referring to CTS. “But I don’t want to legitimize their way of acting.” CTS didn’t make the technical details of the vulnerabilities public, sharing them only with AMD, but Ben-Em says that announcing its findings before a fix was ready was irresponsible.

Even so, trading based on knowledge of an otherwise undisclosed vulnerability is generally legal, says Joshua Mitts, a securities law expert at Columbia University, who published an article on the topic in the Harvard Business Law Review earlier this year. “It’s not insider trading if the information originates outside the firm.”

The ethics of the CTS disclosure have become a matter of fierce debate. Critics pilloried the company for promoting the vulnerabilities rather than working quietly to help fix them. GamersNexus, a hardware trade publication, described the research as an “assassination attempt.” And in a social media post, Linus Torvalds, the creator of the Linux operating system, called the research “garbage,” adding that “it looks more like stock manipulation than a security advisory to me.”

AMD acknowledges that the vulnerabilities are real but says CTS exaggerated their impact. Privately, executives have intimated that CTS acted in bad faith, according to people familiar with AMD’s thinking. CTS, these people say, made no phone calls and sent no emails to individual AMD staffers who typically deal with security issues. The implication, as far as AMD is concerned, is that CTS had sought to make a buck by helping investors short the stock rather than playing the role of the good Samaritan.

CTS’s response: So what? “We’re not doing this out of the goodness of our heart,” says Chief Financial Officer Yaron Luk-Zilberman. “We’re doing it because there is a business here.”

Luk-Zilberman, a veteran of the elite Unit 8200 of the Israel Defense Forces who previously ran a hedge fund, started the company with two other ex-Israeli intelligence officers, his brother, Ilia, and Ido Li On, now CTS CEO. The three men say responsible disclosure comes with its own ethical limitations—namely, that consumers are frequently left vulnerable during the period between when a flaw or data breach is discovered and when it’s disclosed. Equifax Inc., for instance, failed to act on warnings from the U.S. Department of Homeland Security about a software vulnerability and then, after learning it had suffered a data breach, waited six more weeks before alerting consumers. The slow response allowed hackers to steal Social Security numbers from about 150 million Americans.

In some industries, such delays are regarded as unacceptable, Luk-Zilberman says. “Imagine if there were a pharmaceutical company that developed a drug with poisonous qualities and that the researchers who discovered those qualities were expected to give it secretly to the company and wait 90 days,” he says. “The absurdity jumps out at you.”

The custom of keeping vulnerabilities secret until they’re patched is designed to avoid broadcasting them to other hackers, who could then use the information to steal data from unsuspecting consumers. To incentivize researchers to follow this protocol, companies often offer bug bounties to anyone who reports a legitimate flaw. These bounties are more about recognition than compensation, giving researchers a valuable credential. The prizes can range from a few hundred dollars for a small mistake to about $100,000 or so for an enormous one. United Airlines Inc., for example, pays its bug bounties in airline miles.

Such sums aren’t enough to cover the costs of a company like CTS, whose six employees worked full time for a year to produce the AMD report. Many companies, including AMD, offer no bug bounties at all, often rewarding security experts with a consulting gig after the fact.

“You can’t fund researchers this way,” says CTS CEO Li On. The result of the current framework, he says, is that rather than take findings to a company, researchers frequently sell vulnerabilities to private security companies. One such business, Zerodium, pays $1 million or more for big discoveries. Black-market brokers, who work with organized criminals and rogue states, pay even more.

CTS says that even though selling research to short sellers might seem distasteful, it’s not as bad as selling it to groups that will use it to hack or spy on users. In mid-March, in response to the CTS report, AMD promised to address “in the coming weeks” three of the four categories of flaws identified, rejecting any suggestion that it was incapable of doing so.

“We’re proud of the project,” Luk-Zilberman says. “They are fixing this stuff, and they’re probably doing it faster than they would have.” —With Ian King

BOTTOM LINE - Security company CTS’s research on vulnerabilities of several AMD chips represents a test case for the ethics of uncovering and publicizing security flaws.

©2018 Bloomberg L.P.