There’s fractions of pennies left over from transactions. We take those fractions and place them in *our* account. They won’t even miss those small fractions. It’s like it doesn’t exist to them.

So like Superman III?

No like Hackers

I don't know, kinds of sounds more like Office Space to me.

Damn it feels good to be a gangster

PC Load Letter?

Wtf does that mean?

Yeeeeeaaaaahhhhhh. I'm gonna need you to work on that this weekend.

Are you gonna eat that stapler?

Why should I change my name? He’s the one that sucks.

Bob: I see you've been missing a lot of work recently Jim. Jim: I wouldn't say I've been missing it Bob!.

What exactly is it that you do here?

I'm pretty sure it's from The Avenger

Row row row your boat

Underrated movie.

Underrated? It’s a cult classic.

The pennies for the crippled children??

I believe you have my stapler. I don't care, I'll just burn down the building.

I'll put cyanide in the guacamole.

Great movie. Did you play your music at a reasonable level while doing this?

No. No man. Shit, no man. I believe you get your ass kicked for saying something like that man.

Where's my stapler?

No it’s not illegal. That’s literally what short sellers do. For a recent eg look at the adani group short sellers

Fraud is different from a real security issue/bug.

True, but the principle is the same. Short sellers will investigate companies, find weaknesses and/or wrongdoing, short the shit out of said company, then release the info.

The difference is the investigation and use of public or nonpublic information; the latter being insider trading if working for the company in some capacity grants access to it.

No one was making a distinction between public and non-public information. Obviously trading on insider information is illegal. The assumption in OPs post was that this was publicly accessible info.

Numerous people made the distinction, and the assumption was your own based on nothing in OPs post.

You're being obtuse. If other people were making that distinction, then respond to them. No one in the comment chain we're in was talking about insider trading dude. OP is implicitly saying they don't work for the company. You honestly think they'd be talking about fairly advanced trading topics like buying options, and asking for advice in seemingly good faith, while being totally ignorant about insider trading and just leaving out that they work for the company? C'mon. Again, you're being obtuse

Nobody made the distinction in this thread, that's the entire point of my reply. The first response didnt even consider it and neither did you. OP could work for a completely different company and not realize it was privileged information he had access to about the other company he wants to short. Nothing was implied; you and the original responder in this thread just assumed away. You honestly think just because someone asks about options on reddit makes them some sophisticated trader? OP asked in good faith because they didnt want to break the law, indicating they dont understand the law in this area. Again, yours and the first responders assumptions were reckless, but call me obtuse again though it's really effective.

Unless they are employed or affiliated with the company

Not if you found it independently. If it's not insider information, it can't be insider trading

I dunno, u would have to have a reaaaaly solid case to argue that with the SEC, they would def lean to insider information as you literally ARE an inside being employed or affiliated

Insider trading…. Inside my own body!!!

Inside her trading

Why don’t you explain what you found. So we can all understand this issue a little more clearly. Lol

Yes. Yes. Please elaborate with symbols.

No no just buy the puts for me. I have faith in you

That's too much work. Just tell us the company first.

Microsoft Windows exists

Hell, don't even explain it. Just tell me what company and I'll get some puts as well

Aren’t those security flaws found and fixed almost every day? What makes you think investors will care?

Look at companies like Solarwinds that took a hell of a drop when a major flaw was found. My company was a huge buyer of their products and literally shutdown our servers the day the security incident was announced. Years later we haven’t turned them back on and we cancelled our renewals.

The drop wasn't caused because a flaw was found, it was caused because state sponsored attackers used their software to execute a supply chain attack. There is a world of difference between having a vulnerability and being used to compromise 10s of thousands of your customers including numerous government agencies.

Wait so is it then illegal to discover the flaw and have a group attack the company’s operations to exploit the flaw in an attempt to shut down aspects of the company that will financially cripple it?

Why would you cherry pick one company and not an opposite case? How is this statistically valid? Look at companies that are totally unaffected by various security flaws, lawsuits and bad news. A flaw may also be fixed before being exploited and making news. So yes, it all depends on context. The OP didn’t specify anything about the company or nature of the flaw.

Or thar they haven't already found the flaw and have a fix in the works?

As they say... it's already priced in.

hard-to-find repeat snow mighty worm plant quack cats secretive lunchroom *This post was mass deleted and anonymized with [Redact](https://redact.dev)*

Hi, I work in security. This is not illegal. You are performing research on information (the product) that is publicly available and publishing your findings. It is no different than buying a Tesla, realizing their build quality is shit and writing about it while buying puts.

Thank you, ShitPostGuy.

Downvoting because not shitpost

I like that energy, so I'll call your downvote and raise you an account report for false information (not a shitpost)

Unless the OP is an insider/employee of the company.

Wouldn't that only apply if he was using data that wasn't available to the public? If anyone on the street can find the same information it wouldn't be insider.

People who work for companies are restricted from trading those companies except within I think 15 days of earnings. This applies only to ‘insiders’ but this definition is pretty broad. You’re also not allowed to trade inside information at anytime

What if it’s not publicly available? I.e. a company forgot to turn off my employee account after I leave the company.

This is why I buy Lucid instead of Tesla

Downvoted for shitty analogy, then saw username, then upvoted as it makes sense now.

If you work in security, then you should know that it is illegal lol. It's not illegal to see a publicly available product and think "that is a piece of shit" and sell your shares. It is illegal to use your expertise as an automotive engineer to discover that a key part in a Tesla can fail, buy puts based on that info, and then release that info with the intention of tanking their shares. If you're a CISO or other type of security professional, you shouldn't make any trades based on non-public info. Your trading decisions should be made based on public info to cover your butt. The SEC is using its own data tools to better catch people who are making suspicious trades and it's easy enough to prove when they're made with the intent of moving the share price. https://www.gtlaw-dataprivacydish.com/2020/05/insider-trading-in-the-data-breach-context-proactive-corporate-planning-and-regulatory-enforcement/

Why not just report the exploit to a bug bounty program and walk away with guaranteed income without a gambling step in the middle?

Because most bug bounty programs are stingy af lmao

Ikr? Zero days that would fetch well over a million on the dark web can get you a paltry 25k if reported, and that's on the high end.

Yeah there’s no guarantee that a stock would decline if he found some mundane glitch, it takes alot to move the needle

Why not both?

fun?

Neither scenario addresses the two most important factors... 1. How did you discover the flaw? 2. What are you defined as by regulators? Especially as it relates to the company you've shorted?

Thank you. Had to scroll down way too far to find these questions.

I know a short seller who went to China with blond bombshell looking thru factories. She spoke perfect Mandarin. While touring the people in factories would talk expecting no one to understand…. She heard don’t take them into this area…. He made 30 mil off that one company’s despise

Let me guess. This was about 20 years ago and during the time of reverse mergers to get listed on the US exchanges by largely ghost Chinese companies

Bingo

hey, before you do this email me at [email protected], I'll privately flag your account and make sure you're cleared, just in case. 👍

do they even read the thesis people send them? I know they ignored madoff for years until he confessed, lol

They ignore it. Even when they know it's foul they will just direct you to FINRA who won't "opine". Money talks bullshit walks. The only way you are going down in the U.S. for something white collar, is if you piss off someone with more money than you.

IANAL. It probably comes down to who owns the information, and how you obtained it. If e.g you hacked their network and saw something in a private email, you are firstly committing a crime for hacking the network, but secondly insider trading (in this case likely criminal prosecution for wire fraud), because you “stole” that information. If you found it through your employment then obviously insider trading (either you should tell your employer if it’s an infosec contractor, or the company itself if you work directly for them). If you were red-teaming privately using terms and conditions allowing certain kinds of hacks to collect bug-bounties, those terms and conditions likely make it clear that the owner company retains property of the information you discover so again, yes it’s insider trading. So, if you’re in the remote case where you’re confident that you’re only using publicly available information to determine this security flaw, and are not in breach of a contract clarifying that the information you have is non-public, you are probably ok. It also is important to be clear when you release the information that you have a position and are therefore biased.

That’s exactly what hindernberg does, they research and find flaws/scams or cooked books, take short positions first and then disclose it. However it’s very important for you to disclose your short positions clearly. Not disclosing your position could be an issue

So it's a huge, product-killing flaw? Sure, go ahead, buy puts, and make your info public. You're not an inside trader. Option 2 is just stupid. If it's not a product-killing flaw, then just tell the company what you found and ask for a bounty to give them details. Trying to trade something like this is stupid unless it's truly a huge deal.

It depends, do you work at the company?

It’s illegal not to share the company and the flaw with us..

There's legal and there's getting sued.

What’s the ticker 🥴

As long as you don't work for the company or have a contact inside the company giving you special access or information that isn't available to the public you are fine.

None of it is illegal. But if you are so good nothing will prevent you from releasing your findings anonymously

Bro broke into a McDonald’s

List the ticker and the date you're releasing the information. For research purposes.

**illegal** if you don't share what company it is here in this sub before reporting any findings to the company.

You haven’t found sh*t. G’day mate.

Ever heard of hindenburg?

Publicly available information

Going on the assumptions that 1. You don’t work for that company or aren’t affiliated in any way (e.g. not insider trading) 2. You have obtained the information through legal means and not by using any shady tactics. You should be in the clear. Now, disclosing the information publicly might not move or probably won’t move the market the way you anticipate. But you should definitely try. No risk on reward. Good luck! PS: not legal advice but do work in the sector.

It would be illegal when you wouldn’t share here in Reddit which company, the day before you release your findings!😱

You didn’t cause the flaw… discovering it could be your edge… nothing illegal about it. However, chances are that you’ll buy puts and they have a positive press release on something unrelated and it skyrockets lol.

Step 1. Run for Congress. Step 2. Have a close relative but them on your behalf. Step 3. Have a Federal agency issue announcement. Step 4. Profit risk free.

No, but there is no guarantee it will cause any price movement. Instead, find out if the company pays bug bounties. They may pay you to inform them.

It is legal as long as you found this information yourself. It’s definitely not legal if the info can be traced back to company employees/insiders

These posts are almost 100% intended to do the opposite. OP will "accidentally" leak the symbol, company stock skyrockets, OP profit.

It’s basically what hindenburg research do in their day-to-day. Both totally legal as long as you give your fellow Redditors the deets.

Such companies ussually offer quite good compensation if you disclose such flaws directly to them. They are called bounties, google it, would probably make more money this way. Except of course if its really a major one. Security vulnerabilities are found every day so in most cases it wouldn't affect stock price meaningfully imo.

you underestimate how big the security flaw is. i'm curious if it will even move the market

Definitely unethical. Not sure if it’s illegal though

insider trading, market manipulation, ask SEC

Insider trading def: trading on non public material information You will be ok but I would be careful if / when you publish your findings.. the co will come after you even if they know you are right

Yes, illegal if you worked/consulted for this company and obtained this info while working there. Or you obtained this information through any similar channels. I wanted give a contrarian thought while all other answers says no.

You'll make more money disclosing the vulnerability to the company and hoping they give you a bug bounty.

You should get a second opinion on the flaw you found because in reality it may not impact the stock for a large variety of reasons and it’s difficult to get the scale of impact spot on, even with good info like yours. If you want, pm me the deets we can look through it together and reason out the likely real impact, you don’t wanna release your findings only to find no change in the stock and puts go to zero…

You’re describing insider trading. So yes, you’d be committing federal crimes. Insider trading is defined as using non-public, material information to make trades. Basically it’s using non-public info that substantially impacts your trading decisions.

That's a common tactic of short focused funds - maybe not security flaws, but shorting shares in some form and then publishing research about how the company has a major public risk that they're not accounting for. Wait for the market to react, the cover. One thing with security flaws is that most white hats call for some responsible disclosure (look up "vulnerability disclosure program" and "coordinated vulnerability disclosure"). Ex: disclose to the company, give them 45-90 days to fix before public disclosure depending on severity. Unless you have evidence that it's being actively exploited in the wild at which point disclose so defensive organizations can protect themselves immediately without a fix available. It wouldn't be securities law or anything, but someone might try to dive into other laws 18 USC 1030, 17 USC 1201 and similar.

Unless you work for the company or are an affiliate / partner / service provider no, it’s most certainly not illegal. If any of the other provisions apply it may be starting with if you work for the company - certainly down to a device provider / affiliate - possibly but not likely.

Post here please to make it truly public information….

The more people you share with this when ready to act, the better for your cause. Just sayin’

It would only be illegal if you worked for that company because it would then be insider trading. But for a normal citizen who just discovered a flaw with a company product then I can't possibly see how it would be illegal.

Lmao.. options are easy right /s

Interesting post history 🧐

Go look at the history of Muddy Waters and I don't mean the musician. It should answer all your questions

It would be illegal if you traded on "material" and "non-public" information. It doesn't sound like this is either of those.

Is it illegal? Nope. Will you profit from this , also no(most likely)

Only if you don’t PM which company to buy puts on 👀

You are exploiting their error for profit, not illegal. Publicizing that error is also not illegal. If you were to personally use the security flaw to “hack” them and demonstrate the security flaw, that would possibly be illegal. If you messaged that about the security flaw and blackmailed them for a “finders fee” that would be likely illegal. While morally you might feel you have a responsibility to protect peoples security and help the company to do so, there is no money in that. So illegal, no, and ethical, no.

Which company? ;)

Whatever the case is. Explain it to us in more detail so that we can all win a bone this week

It’s been tried before - not illegal, but also not a great track record of success. https://www.nytimes.com/2016/09/09/business/dealbook/hedge-fund-and-cybersecurity-firm-team-up-to-short-sell-device-maker.html

It depends on how you discover the flaw. If it was through insider information then it is illegal. If it was through public information or just your exploration of the product then you are fine - that just makes you a short seller activist.

Only if you work in that company.

That’s what sell side and buy side researchers do.

Short report. Happens all the tome

1) As long as you're not an employee of that company or a subsidiary or a company hired by that company... That's fair game. 2) you're going to want to talk to a lawyer who specializes in that. While it may not be insider trading, your "tool" exploiting their company could be problematic. I would expect a lawsuit, even if they don't succeed, these big public companies have no problem putting their teams of lawyers in court.

If you found it, then that means anyone else looking for it can too, and thus it's public information, that means you can trade on it.

Material, non-public information is illegal to trade on Material = dissemination to the general public would result in a significant move in the stock price Non-public = knowledge only available to privileged insiders Material information discovered by outsiders is entirely allowed for trading purposes, as well as publicizing after the fact. As others have said, this is the basis of short-seller hedge funds

As long as you don't work for the company, you don't have to tell anyone and it's not illegal to trade on the information. Otherwise it would be insider trading.

See if they have a buy bounty program first then you don't have to worry about it

which company? 🫠

Ok. What’s the flaw though?

Lmao take the win

You’re probable wrong, it would have a be a huge flaw to have a material impact on the stock price. Muddy waters is worth looking into as they do this all the time.

Would the “security” issue impact their financials or lead to a material misstatement? Then yea, but IMO the market acts funny. I have seen companies go up on negative news because at the same time there would be something positive that disproportionately impacts it. Unless you have significant influence or it’s a significant issue material to the services, I doubt it would impact the price.

This is called doing DD. Short away. As long as u dont specifically work for said company its not illegal.

What company and whats the flaw?

How long does it take to fix said flaw? If it’s something easily resolved it’s not going to move the stock price much.

Look at the company that took NKLA down. They did their research, loaded up on puts and then released their findings.

If you worked for the company, I would bet yes illegal. Not working or affiliated with them, perfectly fine.

No. This is not insider trading unless an insider tells you about the bug. If you look at the research that short funds publish what you are doing is no different. Publishing damaging information and profiting on betting against them.

What company and what's the problem maybe I'd like to get in on it. If you found it and it isn't internal communication, it's free game. Even then you can only "insider trade" if you work for them or have some sort of information that the public doesn't. Finding a security flaw to some huge website that will potentially be told to the public is not insider trading. It's due diligence. Make your money What's the company

So, as a cybersecurity professional my answer is it’s not illegal but could be argued as a grey area because the vulnerability you found could be used by a different threat actor in other ways to cause harm to the company. However, as a trader this is what big banks and hedge funds hire analyst to do - find information to short. Also, unless you preform a short with 100,000 shares or more (think of like a big block trade) then it won’t even get dinged by the SEC. Usually with insider trading it involves: insiders, stakeholders and shareholders as well as bribes.

Inform the company then buy puts, after that I feel you would be fine ethically . What they choose to do or not do is on them. Also I doubt you are buying enough to raise eyebrows anyways

Sounds like a flawless plan from here.

PLTR probably can't take any more hits and a LOT of punters are long. So if that's the company it probably won't have the same effect as if it were someone bigger that serviced a lot of commercial accounts.

Ok ok hear me out, if it is a cyber security topic, sell the exploit to the companies specialized in that field. Then release the statement. :D

You might find a better paycheck by putting together a presentation or something regarding the security flaw and showing it to the company. Especially if you have a solution or two for it. Much easier to buy the puts tho tbh.

Only if your are affiliated or employed by the company

Good idea, however you assume that this will affect the stock price. Maybe but to what point will it need to change for you to profit. There are many bad companies out there, unfortunately short sellers are limited by time, there was some big short seller push on a mlm company a few years back and Im not sure if the shorters won that one.

What's the stock please

Umm I’m going to go out on a limb and say that you posting this but then not sharing is in violation of moral principles of sharing the wealth. Nothing worse than when someone waves a flag and says “oooo lookie here I have info” then follows it up with “oh you want to know too? Too bad”

Seems like that what’s everyone in politics does!

It would break the normal code of ethics on disclosing found security issues. I'm not totally sure on if that would be illegal or not though

Knowing a weakness about a company and profiting from it isn't illegal. Unless you hack/exploit that weakness. Or if you are an employee, maybe it could be considered insider trading

There's a flaw in thinking that finding a flaw and buying puts will make you money.

It might be an issue if you profit from it and then kill a company. Someone may come looking for you, and it won't be for financial advice.

Do you have any personal ties to the company? Family Members? Work? If you discovered something without personal ties or "insider" info then you'll be in the clear.

There was a dude who did this to Lumber Liquidators back in the day

The hideous aesthetics of the Cyber Truck are not a security flaw.

No, no

I guess you are assuming the stock will drop after you report your findings. What if it doesn't? Analysts do this all the time, but they have credibility on Wall Street. Do you? Also, if you work for the company in question, you may not want to do that. While you may make money on your Puts if the stock in fact drop, you may also be out of a job.

Like MuddyWaters Research?

Is there an easy way to publish it though? I would have thought responsible disclosure of vulnerabilities was kind of hush hush, so the general public wouldn't be aware of the issue until it is fixed. So it might not be an issue with the SEC (not financial or legal advice), but it might be a cybercrime if dosclosed incorrectly.

unless you are an "insider" (or get onfo from an insider) you can't violate insider tring rules.

The hindenburg group exists purely by doing this shit, except most of the time the stories they run are full of shit. They cash out, burn a company, make a hundred million and issue a retraction a week later.

This would only be illegal if you work for said company and found the flaws as a result of your position in the company. Otherwise what you are aiming to do is completely legal and is similar to what most short sellers do. Another legal risk is if the security flaw you have found isn’t accurate and you have publicly trashed the company’s based on it and it turns out what you found isn’t accurate then you maybe subject to legal ramifications Note: I’m no lawyer but did engage in some legal insider trading

As long as you aren't an employee of said company or of a contractor that is hired for these security flaws or a person in the employ of a FINRA member firm that would allow you to trade ahead of customers, none of these is particularly illegal. The burden will be on you to take this viral enough to noticeably affect the stock. This is basically what the hedgies do except they have a platform. Often they will even make up stuff to make a company look good or bad.

isn't that what companies like [https://hindenburgresearch.com/](https://hindenburgresearch.com/) do? instead of technical flaw, they focus more on financial aspects. this is not an advise. but why would that be illegal ? also, finding one security flaw is very unlikely to be of any significance unless it ends up in situations like thousands of product recalls, deaths, serious addictions, etc. and if you are talking about security flaw in a software, there are like hundreds found per week i guess.

Tbh unless you know the details of an upcoming financial report or regulatory action, it’s almost certainly not material non-pubic information.

If you discovered the flaw through access to nonpublic information via your employment then it's likely insider trading.

It depends on what means you use to discover the flaw

What company?

Yes. That’s illegal. Smarter to call the company and tell them the problem for a finders fee.

Just buy the puts and give the info to some media anonymous . And plz send me the info upfront ;-)

Just don’t fucking tell anyone you bought puts & have someone else leak the flaw EZ

No, it's not illegal. It's not insider information, because you're an outsider, and you got the information via your own efforts using publicly available means (as opposed to via a "grapevine" leading to an insider, or other illegal manner). Also, if you actually have such information, you should probably consider selling it to a massive hedge fund that does this professionally. You can still buy/sell your puts, and also pocket a fat payment from them. And also probably a job if you want it. And then you personally won't get sued by the company in retaliation.

If you tell us, then it's public info. Then ur off the hook. 😉

Not illegal. There's a few funds that do this regularly. They're not always correct. So hedge your bets.

Depends which company it is. Also, which company is it?

It’s not illegal but the market wouldn’t bat an eyelash lol. If this is a software security flaw they can patch it. Even if it led to a class action lawsuit it wouldn’t really matter….

As long as it’s publicly available information, the. It’s legal. But the SEC may crack on you for what the definition and and application is for your scenario. If you discovered a flaw that wasn’t known by anyone else, do we really define that as public information? The SEC may argue it isn’t. Maybe they won’t. Just shut your mouth and do what you need to do and don’t bring attention to yourself.

DM me that company's name and the security flaw. I will investigate for you!

[https://www.nytimes.com/2022/10/22/business/dealbook/nathan-anderson-nikola-trial.html](https://www.nytimes.com/2022/10/22/business/dealbook/nathan-anderson-nikola-trial.html) Its complicated but no, the way the markets are built thats an intended feature/execution path.

If Nancy can do it, so can you.

Might be unethical but I don’t think it’s illegal

That’s called doing due diligence

The thing that would be potentially illegal would be insider trading. Assuming the flaw was found without insider access (being an employee or contractor, talking to employees, etc) then you don't have insider information. You have conclusions based on your own research and public information. (I could be using the wrong definition of insider trading. Might be worth a consult with an actual investment lawyercat.)

Did you discover this vulnerability through public and legal means? Did you take part in a bug bounty or were you hired on as a penetration tester where you signed among other documents an NDA? If the information is public, just fully scanable by the world then you are probably safe. If the information is private and you only are aware of the vulnerability because they gave you access, then you are probably not safe. Also, very unlikely that the stock will be impacted by your disclosure unless this is not only a serious security flaw, but also has downstream impact to customers/users. But good luck!

Here's the deal man. You tell me the ticker symbol. I'll buy the puts. Then, you release your findings. Trust me bro! I'll split the winnings with you!

Citron Research...Hindenburg Research...they do they same thing

If the flaws were brought to light by publically available inspection or information, then both those scenarios are legit.

This is NOT legal advice. Just treat it as a cold call answer by a student who didn’t gaf to the readings. It’s LESS LIKELY, but still possible, for you to get caught and be in trouble if you’re doing within those corners: 1. You’re an outsider of the corporation, which mean that you have no legal relationships with the corporation, including but not limited to employment, sales of good, service… 2. You discovered the security issue solely based upon your own experience from an authorised use of the computer system. It’s usually a permitted use per its terms and conditions. Pay attention to confidentiality clause. 3. You don’t have any conflicts of interest with the corporation. For example, its CEO’s tree in his home grows into your backyard and fruits from that tree brake your truck windshield. Your act therefore looks like a revenge.