On Tuesday, a little known security company claimed to have found vulnerabilities and backdoors in some AMD processors. Within some parts of the security community, the story behind the researchers’ discovery quickly became more interesting than the discovery itself.
The researchers, who work for CTS Labs, only reported the flaws to AMD shortly before publishing their report online. Typically, researchers give companies a few weeks or even months to fix the issues before going public with their findings. To make things even stranger, a little bit over 30 minutes after CTS Labs published its report, a controversial financial firm called Viceroy Research published what they called an “obituary” for AMD.
“We believe AMD is worth $0.00 and will have no choice but to file for Chapter 11 (Bankruptcy) in order to effectively deal with the repercussions of recent discoveries,” Viceroy wrote in its report.
CTS Labs seemed to hint that it too had a financial interest in the performance of AMD stock.
“We may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports,” CTS Labs wrote in the legal disclaimer section of its report.
On Twitter, rumors started to swirl. Are the researchers trying to make money by betting that AMD’s share price will go down due to the news of the vulnerabilities? Or, in Wall Street jargon, were CTS Labs and Viceroy trying to short sell AMD stock?
Security researcher Arrigo Triulzi speculated that Viceroy and CTS Lab were profit sharing for shorting, while Facebook’s chief security officer Alex Stamos warned against a future where security research is driven by short selling.
Yaron Luk, co-founder of CTS Labs, told Motherboard that “Viceroy is not a client of CTS, and CTS did not send its research to Viceroy.” When asked about the company’s financial motivations, Luk said that “we are a for-profit company that gets paid for its research by a variety of research clients.”
“We do not discuss our research clients,” he wrote in an email sent after publication of this article. “In addition, we are driven by the desire to make products more secure, and to protect users, as we hold companies responsible for their security practices.”
Viceroy’s founder, Fraser Perring, was adamant about its company’s intentions.
“We haven’t hidden the fact that we short the stock,” Perring said in a phone call with Motherboard. “Where does a company with these serious issues go? For us you can’t invest in it.”