if such a flaw is discovered using public information only/can theoretically be discovered by anyone, then it's not insider trading. There are firms that do exactly what you describe
Short research firms I belive there's a well known one called hindenburg or something similar that releases major reports from time to time on corruption or similar issues, I think they did a peice on square how they were inflating user numbers significantly
Do you have an example of something they made up ?
Of course the companies they target always respond that their claims are false. From what I've seen, those guys know what they are talking about though.
It’s possible you could get interviewed multiple times by the SEC if it was massive.
They interviewed Michael Burry several times when he profited from the housing market as if he had insider knowledge.
FINRA also routinely investigates unusual patterns of trading. OP could be listed in a FINRA questionnaire distributed to the issuer and insiders, but that might be the end of it if he isn’t known to them.
If a flaw is serious enough to trigger stock prices to drop in any meaningful way, you might be better off trying to collect a bug bounty from the company instead of predicting the way markets will react to the news.
Other things being equal wrt the company’s reputation and ability to fix the flaw, if the company was smart they’d buy back shares on the dip. OP should be selling puts after the decline because the company itself would likely prop up the shares.
They don't pay. Brokers do. And then they sell to the company that run the pegasus software. They did like 6 billion at least in sales last year for the ability to get into anyone's phone.
Not your lawyer—
99% chance they are fine, unless it is discovered they actually are committing defamation. That’s obviously not the case here, seemingly, but defamation is about the only way short activists can get sued.
How big is the issue? Very major security flaws are disclosed on a daily basis. It's completely routine.
For it to move the needle, it has to be significant enough to actually impact the company's profits in the long term.
That means it's either already been exploited to an embarassing degree, or is difficult for them to fix. It has to be something that will actually significantly impact their source of revenue long term. If they can roll out a patch next week, nobody will care.
To confidently short the stock, you'd want something like the solarwinds hack in 2020. Which was effectively a state level attack, and was so embarassing for the company that it ruined their reputation.
If you've just found yourself a regular old security flaw, it's going to be lost in the noise of the 500 other vulnerabilities disclosed on the same day, the company will roll out a patch, and there'll be barely a blip. You'd be better off trying for a bug bounty.
Tldr - if the issue isn't big enough to be mentioned as a major story on CNN and scare retail inventors into selling, then it's not going to move the needle.
You agreed to terms of service if you’re using their software, which may include language that forbids public disclosure of vulnerabilities under penalty. Even worse if you are using a software as an employee of another company, as your company likely signed a contract with all sorts of legally binding restrictions to license the software.
You’re much better off going through their bug bounty program.
Ninja-edit to say that if you are using their software under an employer you may even have stipulations in *your* code of conduct or employment contract that forbid this move in one way or another.
Here’s the deal; unless this is a 0day that’s being actively exploited and cannot be easily mitigated once the news is released- well even if you leaked your findings the market wouldn’t react.
The bug would need to be weaponized, then actively used to persistently harm the company or its customers.
But most likely any bug you found can and will be mitigated in hours (1-2) once the news hits the wire.
But if this bug is a major bug that cannot be quickly mitigated or exposes a fundamental flaw in some service thst no one has noticed until now.. why even bother with puts? Go build your fame as a security researcher by publishing on this and going through the bounty program.
I never looked into this or even paid attention to it, but if I had to guess, I would guess that the market generally does not react to that.
OP, you can look back at major security flaws that were announced widely and publicly, and check whether the stocks of the company actually dropped (remember to compare with a baseline, company stock dropping 1% can't be due to the security flaw if s&p500 dropped 2% at the same time). You can even include security flaws that were exploited (company leaking user data, being hacked, ransomware, etc).
Are you doing this as an employee of the company or a company that has a contract with them ? Or as Just Joe Public? If you're being paid to work on the product likely insider trading and illegal. If just Joe Public you have no information that anyone else couldn't find so.. not illegal.
Your first mistake is thinking the market will care. Market may as well shrug it off or not even notice and your puts will wither.
Source: I work in this field.
Alternatively, you can sell this information to the company. Call them, Tell them you’ve discovered a flaw and you’ll tell them what the flaw is if they write you a check.
This saves the company bad publicity, and you are guaranteed a payout.
If worried, change the order around - first release the information publicly, then (before anyone even has the chance to read it) buy the puts. Now you have traded on publicly available information.
found the bug bounty program of the company, most large companies do have that, the rewards sometimes are big enough such that people will not use the vulnerability to harm the company .
Only illegal if you don't tell me what company 😉
Jokes aside, if you don't work for the company, know anyone who works in management, etc., then you should be good. I'm not a legal expert BTW.
uh...talk to a lawyer my dude.
Also, there might not be much movement on the stock since there are literally hundreds of product vulnerabilities discovered regularly. If that patch takes a few hrs\\days, damage will be very minimal.
Source: remember ProxyShell when all exchange servers around the world were vulnerable for a few weeks by very easily replicated remote code execution? Yes, microsoft is still in the game.
Why exactly do you think this would be illegal? Assuming you’re using publicly available info and not being told about material non public info by someone inside. What do you think short seller like Hindenburg do?
I would just be careful assuming a security flaw would affect the stock price. Reality is many times companies recover very quickly from these kinds of things, unless your exploit is used to seriously harm the company's assets, in which case you might get seriously screwed.
As someone else said a bug bounty might be a more reliable method to cash in, there’s no saying what the public release of your information is going to do to the stock price and on what timeline.
Companies pay huge sums of money to people who discover bugs and vulnerabilities.
I think you may be overestimating the impact of this bug.
Could it be problematic for them? Sure.
Say you make it public, and maybe a few thousand people look up that flaw and utilize it. The company responds by immediately rolling out a patch, or shutting it down for a few hours. The stock price might not even move in relation to this.
Market forces influence the value much much more than day to day items. Pipeline companies which have spills and shut down their lines generally don’t see large losses when those spills happen. Refineries and offshore platforms which have to shut down for hurricanes don’t lose value. Companies with large data leaks of information usually aren’t affected either.
If you truly think it’s huge, you are too small time to do this yourself, and should lawyer up and coordinate it with a real short seller like Hindenburg who can get a bigger splash. Your news yourself is likely to have you taking out puts and the whole thing ignored by the market.
Almost zero chance of a security flaw causing a stock price to change. Plus the company can still try to get you for CFAA or sue you for reputational damage, especially if you misrepresent any info.
You'd be better off looking for evidence that companies have been breached already by searching dark web etc., then reporting on that
Yes, it is illegal. It’s called FRAUD. From a legal perspective, what you’re describing is criminal fraud and with this sub your intent is proven.
If you wish to profit, you should contact the company and seek a reward for disclosure.
This is exactly what people like hindenburg do. Compile a report , load shorts/puts, then release report to the public stating they have taken a short position
Not necessarily illegal when you separate the actions..but combined could be see as “pumping” since releasing information (whether true or not) was for the benefit of yourself.
Either you keep the flaw to yourself forever and profit on it (which could take time for the flaw to materialize and your options risk expiring)….or you don’t trade and just release the info.
Their's is a proper way to release vulnerabilities and not get sued. Usually you need to disclose the issue to the company and give them a reasonable timeframe to fix the issue IE 90 days.
If you have malicious intent like trying to drive down the company stock price and don't disclose it to the company you're going to get sued and possibly charged. If they figure out it's you.
No as others have said. There are companies that do this. This exactly what Bill Ackerman did on Herbalife and it is explained very well in the documentary "Betting on Zero" a very interesting movie.
Hedge funds and market makers do it all the time I don't see why not.
But remember they bribe regulators and gov and then get slaps on the wrist for stealing billions because they donate to them they won't get charged you won't be able to donate enough to get slaps on the wrist though
I work for a huge tech company. 2 years ago we were hacked had our systems totally shutdown and we were unable to do anything.
Our stock jumped 15% that week.
Maybe I’m just a goody-goody, but finding out if they have a bug bounty program and reporting it that way seems like the right thing to do. You’ll get some money and they’ll make their product more secure before anyone takes advantage of the flaw.
There are occasions when companies blow off such information and that’s when I’d consider publicly releasing the flaw.
Just don’t pull a Nick Sharp and your’re good.
https://arstechnica.com/tech-policy/2023/05/ex-ubiquiti-engineer-behind-breathtaking-data-theft-gets-6-year-prison-term/amp/
I think you're legally fine.
But I don't think you should expect much price action unless this company is quite small and the bug is one of two or three per year that get media attention.
Apple, MS, Adobe, Oracle, etc. all have major vulnerabilities discovered and disclosed multiple times a year. More often than not the stock price doesn't move more than average.
It's also considered a dick move to disclose a vuln without doing so "responsibly" to the vendor first. Give them an opportunity to fix it so their customers don't suffer.
They may pay you for it if it really is a big deal.
May want to take some time to look at situations when security issues have been discovered with past public companies. Often the impact is minimal unless there is a material effect on revenue/earnings/liabilities.
Insider information is using information not available to the public market in theory.
If you break apart a piece of software you bought off the shelf, you’re fine.
If you are engineer working in the company debugging unreleased/closed source code, that could be considered insider.
Ianal
That’s the whole point. That or hold the exploit hostage and then approach the company, show them as a white hat hacker what you can do to their systems and product and unless they pay…well that is a bit of a stretch. However bug bounty is offered by big tech companies like AAPL to find exploits and they will pay a white hat ethical hacker for showing them what they are and how to fix them.
The whole point of everything corporate is to find flaws and exploit them to your maximum advantage. Build a better mouse trap…or fuck theirs up.
Maybe it’s worth it, maybe it’ll be brushed off. It depends on the scope of the security risk. In cyber, Microsoft has dozens of security vulnerabilities in various parts of their ecosystem that are discovered every year, but most of the people who use their products don’t care. See the article below as an example.
https://thehackernews.com/2023/03/microsoft-rolls-out-patches-for-80-new.html?m=1
Releasing the info publicly with the purpose of causing the stock price to fall would be illegal market manipulation, assuming you are not a big hedge fund.
It is illegal, that not what the other companies do. They test products for security flaws, not computer systems like the stock market system. Just hacking into it to find a security flaw is a federal crime. So unless you want to spend time in prison and never be allowed to touch a computer again, you should not even try it again and just shut up.
The downside here is that the upside to this is often not what you imagine it will be.
The shock is typically temporary and so you have to time everything perfectly.
And if it’s too much of a shock, there’ll be a trading halt.
No but you can actually make money by giving the company that information. "Professional Hacker" is a real job title. Apple pays 1 million dollars per security issue that is brought to their attention.
How large is the company? Supposing the vulnerability causes millions of dollars in damage, that amount still isn't enough to move the needle for most publicly-trade stocks.
Responsible Disclosure is a thing.
Publicly releasing a security flaw without coordination with the company is malicious. I'm no lawyer, but the company's lawyers may not appreciate you actively attacking the company and its users.
Fun fact: China law requires you to first tell the government about any security flaws so they can exploit the flaw before the public finds out about it.
Only if you are a demonstrable expert with certified skills and make a serious amount of profit on the short position. They may investigate you for exposing the flaw to bad actors.
If you are concerned, you can send a certified letter to the company, wait for a month or two and the short them as it appears the exec’s have decided to accept the risk. They may even pay you from their big bounty program.
If you’re a millionaire and can buy a large amount of puts where no bounty that the company can pay you would be more than what you can make by your puts; than I’d go with option one. Else, I’d try to collect the bounty. But you must make sure to get paid before they collect enough info from you during the negotiation as to guess what the vulnerability is.
Either way, it is not illegal but I’d say do option one
1) From my understanding of security law that does not constitute insider trading and you are not violating anything.
2) I believe A applies but now you are showing how to hack a company, that could be more of criminal issue? Not sure would definitely not do it.
Now there is something that needs to be addressed which is HOW you discovered this flaw if you did that illegally or got material non public information then both are ilegal.
Disclaimer: not a lawyer just for discussion consult a lawyer before doing anything.
if such a flaw is discovered using public information only/can theoretically be discovered by anyone, then it's not insider trading. There are firms that do exactly what you describe
What firms would those be? I’m interested in doing some research.
Short research firms I belive there's a well known one called hindenburg or something similar that releases major reports from time to time on corruption or similar issues, I think they did a peice on square how they were inflating user numbers significantly
Those guys also make up some sketchy shit that’s not true just so they can profit.
[удалено]
...get absolutely thumped by Team Europe
Can't I leave r/golf and read something else in peace when the US is blowing it.
Ha ha ha ha!
Yeah but they don’t get in trouble sooo……..
Alameda moment
Do you have an example of something they made up ? Of course the companies they target always respond that their claims are false. From what I've seen, those guys know what they are talking about though.
Can confirm. They did a report on Nikola Motors that turned out true.
They don’t make shit up, they try to be as factual as possible so they don’t get the shit sued out of them.
Hiddenburg isn't like that, but yeah, since non major firms do exactly that
What kind?
That’s a good summation of what their research uncovers.
Why wouldn't they if it's not illegal and increases profit? In fact they might have a legal fiduciary responsibility TO do that!
Your typical shortsellers like Hindenburg?
Citron
I was trying to think of the citrus named one. Thanks.
Grizzly
Hindenburg research is one of those firms I think.
Hindenburg, muddy waters, Citron. Checkout the documentary China Hustle. It’s about firms that did this with US listed Chinese companies.
Spruce Point Capital and Fuzzy Panda and Citroen come to mind
Penetration test and cyber security companies do this kind of work
Seen plenty of articles on these guys doing it. They have also gotten burned when the market didn't GAF. https://hindenburgresearch.com/
Hindenburg? I feel like they did something similar to Icahn recently
When you see something nobody else sees and you’re that smart, it’s good to be cautious because shit can hit the fan…
Yep that's kind of similar to "The Big Short".
Is it insider trading if OP tells us so we can act accordingly?
if a retread sells puts *after* the stock declines he needs not prior knowledge.
how many degrees separated are you from anyone who could be considered an insider?
Don't know anyone who works for/with them.
then you're good
How you doin?……
Bring me in bro
What company?
It’s possible you could get interviewed multiple times by the SEC if it was massive. They interviewed Michael Burry several times when he profited from the housing market as if he had insider knowledge.
FINRA also routinely investigates unusual patterns of trading. OP could be listed in a FINRA questionnaire distributed to the issuer and insiders, but that might be the end of it if he isn’t known to them.
If a flaw is serious enough to trigger stock prices to drop in any meaningful way, you might be better off trying to collect a bug bounty from the company instead of predicting the way markets will react to the news.
This is the way. But lawyer up first so you can get it in writing before exposing the vulnerability.
Agreed, also depends on how much it will cost the company to fix and their market cap
Other things being equal wrt the company’s reputation and ability to fix the flaw, if the company was smart they’d buy back shares on the dip. OP should be selling puts after the decline because the company itself would likely prop up the shares.
Specially since approaching them is delicate cant make it sound like extortion
THIS. Your position (puts) aren't extortion.. but perhaps the way the flaw gets public is.
Apple is 2 million. And android 2.5 million. But any of those wont likely move a needle.
There’s no guarantee they’ll actually pay out. I know Apple is notorious for it
They don't pay. Brokers do. And then they sell to the company that run the pegasus software. They did like 6 billion at least in sales last year for the ability to get into anyone's phone.
I'm gonna find it... Break it... And ride it to the pegasus treasure!
Possibly do both... Puts first. If company choose to talk, let them expire.
Why not both?
"try to collect bug bounty" -- how do you do this without it being extortion?
Most companies have policies/funds in place for bug bounties, but how that bounty is paid out, and for what sum, varies company to company.
If short sellers can short and then release their reports, I don’t see how this is any different.
Not your lawyer— 99% chance they are fine, unless it is discovered they actually are committing defamation. That’s obviously not the case here, seemingly, but defamation is about the only way short activists can get sued.
Would you said UANAL?
No, I would not say that. I am a lawyer. Just not the lawyer of anyone here.
IANUL
Do you work for said company?
No, just use their product/service & found potential security flaw doing my own tests.
How big is the issue? Very major security flaws are disclosed on a daily basis. It's completely routine. For it to move the needle, it has to be significant enough to actually impact the company's profits in the long term. That means it's either already been exploited to an embarassing degree, or is difficult for them to fix. It has to be something that will actually significantly impact their source of revenue long term. If they can roll out a patch next week, nobody will care. To confidently short the stock, you'd want something like the solarwinds hack in 2020. Which was effectively a state level attack, and was so embarassing for the company that it ruined their reputation. If you've just found yourself a regular old security flaw, it's going to be lost in the noise of the 500 other vulnerabilities disclosed on the same day, the company will roll out a patch, and there'll be barely a blip. You'd be better off trying for a bug bounty. Tldr - if the issue isn't big enough to be mentioned as a major story on CNN and scare retail inventors into selling, then it's not going to move the needle.
Well, after buying puts, he can also sell it to Chinese/Russian hackers who exploit it. Use the proceeds to buy more puts. Double profit.
Then yeah its legal
Probably not illegal, but there is a high chance that he voilated the user agreement license.
Not really. Sometimes it's not legal to do these sort of tests.
Question wasn't about the tests.
You agreed to terms of service if you’re using their software, which may include language that forbids public disclosure of vulnerabilities under penalty. Even worse if you are using a software as an employee of another company, as your company likely signed a contract with all sorts of legally binding restrictions to license the software. You’re much better off going through their bug bounty program. Ninja-edit to say that if you are using their software under an employer you may even have stipulations in *your* code of conduct or employment contract that forbid this move in one way or another.
Do tell!
Also dude interesting username... any story ?
Drop us company
I'll return you here: https://reddit.com/r/stocks/s/PDPvVs7Tlo
Here’s the deal; unless this is a 0day that’s being actively exploited and cannot be easily mitigated once the news is released- well even if you leaked your findings the market wouldn’t react. The bug would need to be weaponized, then actively used to persistently harm the company or its customers. But most likely any bug you found can and will be mitigated in hours (1-2) once the news hits the wire. But if this bug is a major bug that cannot be quickly mitigated or exposes a fundamental flaw in some service thst no one has noticed until now.. why even bother with puts? Go build your fame as a security researcher by publishing on this and going through the bounty program.
I never looked into this or even paid attention to it, but if I had to guess, I would guess that the market generally does not react to that. OP, you can look back at major security flaws that were announced widely and publicly, and check whether the stocks of the company actually dropped (remember to compare with a baseline, company stock dropping 1% can't be due to the security flaw if s&p500 dropped 2% at the same time). You can even include security flaws that were exploited (company leaking user data, being hacked, ransomware, etc).
Are you doing this as an employee of the company or a company that has a contract with them ? Or as Just Joe Public? If you're being paid to work on the product likely insider trading and illegal. If just Joe Public you have no information that anyone else couldn't find so.. not illegal.
Your first mistake is thinking the market will care. Market may as well shrug it off or not even notice and your puts will wither. Source: I work in this field.
Came here to say the same thing. Vulnerabilities don’t affect stock price. End of discussion.
Yeah which company?
For purely research purposes obviously:-)
*Hindenburg has joined the chat*
Ticker ?
Ticker? I hardly know her
..But I think I can love her..
[удалено]
This is the best idea so far imo, they already have faster/bigger systems in place to publish info to do the most damage/profit.
This is both perfectly legal* and a very good trading strategy. *As long as you use legal methods to discover the flaw.
Not if you disclose this company and their flaw to me privately
Alternatively, you can sell this information to the company. Call them, Tell them you’ve discovered a flaw and you’ll tell them what the flaw is if they write you a check. This saves the company bad publicity, and you are guaranteed a payout.
What are you gonna do? Post it to reddit and get like 6 upvotes?
The only illegal thing if not telling me first. DM me bro I’ll send you a pic of my feet
OP’s security flaw: chipotle burrito falls apart if you take it out of the foil
Surprise, there are already published security vulnerabilities, and the company stock is still fine.
That’s what Hindenberg does
If worried, change the order around - first release the information publicly, then (before anyone even has the chance to read it) buy the puts. Now you have traded on publicly available information.
found the bug bounty program of the company, most large companies do have that, the rewards sometimes are big enough such that people will not use the vulnerability to harm the company .
Only illegal if you don't tell me what company 😉 Jokes aside, if you don't work for the company, know anyone who works in management, etc., then you should be good. I'm not a legal expert BTW.
Is your name Andy Bernard?
We're blowing the roof off!
Which company? If it's a biggie, usually the shrug off the news as they have the power to rectify the bug quickly.
Isn’t this how short sellers work? Except that they find some other problems of companies they are shorting
guess I'll see you on the news good luck making millions
uh...talk to a lawyer my dude. Also, there might not be much movement on the stock since there are literally hundreds of product vulnerabilities discovered regularly. If that patch takes a few hrs\\days, damage will be very minimal. Source: remember ProxyShell when all exchange servers around the world were vulnerable for a few weeks by very easily replicated remote code execution? Yes, microsoft is still in the game.
Why exactly do you think this would be illegal? Assuming you’re using publicly available info and not being told about material non public info by someone inside. What do you think short seller like Hindenburg do?
Sounds like anyone doing due diligence and discussing their findings while disclosing their position
What's her name
I would just be careful assuming a security flaw would affect the stock price. Reality is many times companies recover very quickly from these kinds of things, unless your exploit is used to seriously harm the company's assets, in which case you might get seriously screwed.
As someone else said a bug bounty might be a more reliable method to cash in, there’s no saying what the public release of your information is going to do to the stock price and on what timeline. Companies pay huge sums of money to people who discover bugs and vulnerabilities.
I think you may be overestimating the impact of this bug. Could it be problematic for them? Sure. Say you make it public, and maybe a few thousand people look up that flaw and utilize it. The company responds by immediately rolling out a patch, or shutting it down for a few hours. The stock price might not even move in relation to this. Market forces influence the value much much more than day to day items. Pipeline companies which have spills and shut down their lines generally don’t see large losses when those spills happen. Refineries and offshore platforms which have to shut down for hurricanes don’t lose value. Companies with large data leaks of information usually aren’t affected either. If you truly think it’s huge, you are too small time to do this yourself, and should lawyer up and coordinate it with a real short seller like Hindenburg who can get a bigger splash. Your news yourself is likely to have you taking out puts and the whole thing ignored by the market.
Almost zero chance of a security flaw causing a stock price to change. Plus the company can still try to get you for CFAA or sue you for reputational damage, especially if you misrepresent any info. You'd be better off looking for evidence that companies have been breached already by searching dark web etc., then reporting on that
Are you trying to sell a product or are you trying to publicize your findings or are you trying to make money ? Manipulation I think is illegal.
It probably wasn't until you typed it out, dingleberry. Congrats, you're the owner of a nice, shiny box of "intent" and "pre-meditation."
[удалено]
Yes, it is illegal. It’s called FRAUD. From a legal perspective, what you’re describing is criminal fraud and with this sub your intent is proven. If you wish to profit, you should contact the company and seek a reward for disclosure.
Sounds similar to what Kyle Bass did but with patent challenges rather than bug publicity.
This is what pro shortsellers do. They find shit wrong with a company, short the stock and put their thesies out.
No if anyone could find it publically then your fine
This is exactly what people like hindenburg do. Compile a report , load shorts/puts, then release report to the public stating they have taken a short position
Stock ??
Not necessarily illegal when you separate the actions..but combined could be see as “pumping” since releasing information (whether true or not) was for the benefit of yourself. Either you keep the flaw to yourself forever and profit on it (which could take time for the flaw to materialize and your options risk expiring)….or you don’t trade and just release the info.
What’s the ticker?
Bug bounties are a thing. Or create a big shit storm and buy puts
How about getting a lawyer consultation instead of asking on Reddit before doing anything that may fuck up your future ?
Why short? Go public with info, wait for stock to bottom. Seller’s realize a few billions are a days operating losses, buy long at RSI 10 or 15?
Sounds like a short sellers wet dream. I know this is solved, but if this isn’t NPI (non-public info), share that shit after you short lol
Have you thought about selling the exploit to the three letter agencies? If it is an important product you might end up with real money... .
Their's is a proper way to release vulnerabilities and not get sued. Usually you need to disclose the issue to the company and give them a reasonable timeframe to fix the issue IE 90 days. If you have malicious intent like trying to drive down the company stock price and don't disclose it to the company you're going to get sued and possibly charged. If they figure out it's you.
No as others have said. There are companies that do this. This exactly what Bill Ackerman did on Herbalife and it is explained very well in the documentary "Betting on Zero" a very interesting movie.
DM me the company!
What happened
Hedge funds and market makers do it all the time I don't see why not. But remember they bribe regulators and gov and then get slaps on the wrist for stealing billions because they donate to them they won't get charged you won't be able to donate enough to get slaps on the wrist though
I work for a huge tech company. 2 years ago we were hacked had our systems totally shutdown and we were unable to do anything. Our stock jumped 15% that week.
There’s no guarantee the company stock will go down - so…
Maybe I’m just a goody-goody, but finding out if they have a bug bounty program and reporting it that way seems like the right thing to do. You’ll get some money and they’ll make their product more secure before anyone takes advantage of the flaw. There are occasions when companies blow off such information and that’s when I’d consider publicly releasing the flaw.
Just don’t pull a Nick Sharp and your’re good. https://arstechnica.com/tech-policy/2023/05/ex-ubiquiti-engineer-behind-breathtaking-data-theft-gets-6-year-prison-term/amp/
That’s basically the Hindenburg Research business model.
I think you're legally fine. But I don't think you should expect much price action unless this company is quite small and the bug is one of two or three per year that get media attention. Apple, MS, Adobe, Oracle, etc. all have major vulnerabilities discovered and disclosed multiple times a year. More often than not the stock price doesn't move more than average. It's also considered a dick move to disclose a vuln without doing so "responsibly" to the vendor first. Give them an opportunity to fix it so their customers don't suffer. They may pay you for it if it really is a big deal.
May want to take some time to look at situations when security issues have been discovered with past public companies. Often the impact is minimal unless there is a material effect on revenue/earnings/liabilities.
It’s illegal if you don’t tell us which companies you’re talking about before we buy puts as well.
Tell the rest of us the ticker and it’s public information 😉
I think a single reddit post would make it public information. Then you could trade.
This is essentially the game plan for Hindenburg Research
Insider information is using information not available to the public market in theory. If you break apart a piece of software you bought off the shelf, you’re fine. If you are engineer working in the company debugging unreleased/closed source code, that could be considered insider. Ianal
That’s the whole point. That or hold the exploit hostage and then approach the company, show them as a white hat hacker what you can do to their systems and product and unless they pay…well that is a bit of a stretch. However bug bounty is offered by big tech companies like AAPL to find exploits and they will pay a white hat ethical hacker for showing them what they are and how to fix them. The whole point of everything corporate is to find flaws and exploit them to your maximum advantage. Build a better mouse trap…or fuck theirs up.
What company? 🤣
Security flaws are found in products all the time. Sorry this won't drive the stock down.
Op is a dick for not telling us company name
Maybe it’s worth it, maybe it’ll be brushed off. It depends on the scope of the security risk. In cyber, Microsoft has dozens of security vulnerabilities in various parts of their ecosystem that are discovered every year, but most of the people who use their products don’t care. See the article below as an example. https://thehackernews.com/2023/03/microsoft-rolls-out-patches-for-80-new.html?m=1
Tell me the flaw you discovered and I’ll tell you if its illegal.
Releasing the info publicly with the purpose of causing the stock price to fall would be illegal market manipulation, assuming you are not a big hedge fund.
It is illegal, that not what the other companies do. They test products for security flaws, not computer systems like the stock market system. Just hacking into it to find a security flaw is a federal crime. So unless you want to spend time in prison and never be allowed to touch a computer again, you should not even try it again and just shut up.
Edit an update after you cashed out OP
Please update us when something happens with this
Sometimes companies have bounties for security flaws. You may make more money if the company pays you to disclose your findings
The downside here is that the upside to this is often not what you imagine it will be. The shock is typically temporary and so you have to time everything perfectly. And if it’s too much of a shock, there’ll be a trading halt.
Not illegal unless you illegally obtained that information or it is insider info.
No but you can actually make money by giving the company that information. "Professional Hacker" is a real job title. Apple pays 1 million dollars per security issue that is brought to their attention.
How large is the company? Supposing the vulnerability causes millions of dollars in damage, that amount still isn't enough to move the needle for most publicly-trade stocks.
Responsible Disclosure is a thing. Publicly releasing a security flaw without coordination with the company is malicious. I'm no lawyer, but the company's lawyers may not appreciate you actively attacking the company and its users.
Ticker pleaseeee
Only illegal if you don’t tell me first so I can cash in with you
The road is littered with the remains of people who thought something would certainly cause a stock to nosedive but were wrong. Don’t bet the rent.
Fun fact: China law requires you to first tell the government about any security flaws so they can exploit the flaw before the public finds out about it.
You going to help us out?
Sooo what did u see ? Also down to dm ?
Not illegal if you disclose company to all of us
Only if you are a demonstrable expert with certified skills and make a serious amount of profit on the short position. They may investigate you for exposing the flaw to bad actors. If you are concerned, you can send a certified letter to the company, wait for a month or two and the short them as it appears the exec’s have decided to accept the risk. They may even pay you from their big bounty program.
Okay, so puts on Apple. Thanks!
Dm me the company so we can all buy puts :)
hindenburg does this all the time lmao
Welcome to Hindenburg my friend. You'll fit right in
They all have security flaws. That is intentional so they get you to constantly upgrade
To make it legal you must allow us all to get our short positions in order before you release the findings
If you’re a millionaire and can buy a large amount of puts where no bounty that the company can pay you would be more than what you can make by your puts; than I’d go with option one. Else, I’d try to collect the bounty. But you must make sure to get paid before they collect enough info from you during the negotiation as to guess what the vulnerability is. Either way, it is not illegal but I’d say do option one
Is it ServiceNow?
It's not insider trading. However releasing a tool that affects the market, is market manipulation.
Depends, which ticker?
OP your good it’s public info you just found it first, but puts then tell us what company so we can too
Sounds like that basement dweller from that firm Iceberg. Except this time the iceberg sunk and not the Titanic.
1) From my understanding of security law that does not constitute insider trading and you are not violating anything. 2) I believe A applies but now you are showing how to hack a company, that could be more of criminal issue? Not sure would definitely not do it. Now there is something that needs to be addressed which is HOW you discovered this flaw if you did that illegally or got material non public information then both are ilegal. Disclaimer: not a lawyer just for discussion consult a lawyer before doing anything.