[LINK] An Auction Site for Vulnerabilities

Bernard Robertson-Dunn brd at iimetro.com.au
Sat Jul 7 09:51:13 AEST 2007 

An Auction Site for Vulnerabilities
Tim Wilson
Site Editor
Dark Reading
July 5, 2007
http://www.darkreading.com/document.asp?doc_id=128411&WT.svl=news1_1

Discover a security flaw in a major application or system? You can't 
sell it on eBay. But starting this week, you can sell it on a new 
auction site that's not too much different.

WabiSabiLabi, whose marketplace opened for trading on Tuesday, is aiming 
to change the back-room market for security vulnerabilities and move it 
into the mainstream. Any researcher who finds a flaw can register to 
sell it on WSLabi's marketplace. WSLabi, a "neutral, vendor-independent 
Swiss laboratory," checks out the vulnerabilities and verifies their 
validity in its own labs before allowing them to be auctioned.

"This thing could definitely have legs," says Jeremiah Grossman, CTO of 
WhiteHat Security. "I've heard people talk about selling exploits for a 
while, auction-style or otherwise, but this is the first auction 
implementation I've seen. All this would take is a couple of successful 
transactions, and it could cause a big shift in the way we traditionally 
think about the vulnerability disclosure process."

There currently are four auctions going in the WabiSabiLabi marketplace, 
including a Linux kernel memory leak vulnerability that starts at 500 euros.

The marketplace's founders say they believe the "ethical disclosure" 
policy followed by many security researchers is costing them money. "The 
system introduced by 'ethical disclosure' has been historically abused 
by both vendors and security providers in order to exploit the work of 
security researchers for free," the auction site says.

"This happens only in the IT security field," the site states. "Nobody 
in the pharmaceutical industry is blackmailing researchers (or the 
companies that are financing the research) to force them to release the 
results for free under an ethical disclosure policy.

"In this view, WabiSabiLabi has a not-for-free-disclosure policy, 
explicitly aiming to reward researchers," the founders state. "The only 
free information available to both vendors and public will be the 
general information on each piece of security research listed on the 
marketplace, which will be enough to understand the issues introduced by 
each security research, without disclosing any sensible technical detail."

"Recently it was reported that although researchers had analyzed a 
little more than 7,000 publicly disclosed vulnerabilities last year, the 
number of new vulnerabilities found in code could be as high as 139,362 
per year," said WSLabi CEO Herman Zampariolo, in a written statement. 
"Our intention is that the marketplace facility on WSLabi will enable 
security researchers to get a fair price for their findings and ensure 
that they will no longer be forced to give them away for free or sell 
them to cyber-criminals."

WSLabi states that the research can only be sold under the condition 
that "the provided security research material must not come from an 
illegal source/activity." The site does not say which country's laws it 
will use to define the term "illegal" -- Germany, for example, recently 
adopted legislation that essentially outlaws all unauthorized access of 
computers, even for security research.

Researchers who have seen the site say their first concern is who will 
be allowed to buy the vulnerabilities. WSLabi says it will "carefully 
evaluate" all potential buyers "to minimize the risk of selling the 
right stuff to the wrong people." But the site does not describe its 
process for doing the vetting, other than requesting a phone number and 
a faxed copy of an identity card.

"My main fear with this type of thing is that it is difficult to 
differentiate between a legitimate buyer and someone who simply wants to 
use the vulnerability for nefarious purposes," says Robert Hansen 
(a.k.a. RSnake), CEO of SecTheory LLC. "Many of the biggest players in 
the software industry have said time and time again that they will not 
buy vulnerabilities, in the same way that the U.S. does not negotiate 
with terrorists."

WSLabi says it will help researchers design the best-selling scheme and 
starting price for their discoveries, "enabling them to maximize the 
value of their findings. A piece of research that would currently sell 
to one company on an exclusive basis for $300 to $1,000 could sell for 
ten to twenty times more than this amount using the portal," the auction 
site says.

The site works much like eBay, with options for Dutch auctions, Buy Now, 
and a definite running time for each auction. Sellers can choose to sell 
exclusively to a single buyer or to multiple purchasers. WSLabi did not 
disclose how much it charges to test the vulnerabilities and act as a 
broker for each sale.

"I'd expect several researchers to give it a try," Grossman says.

-- 

Regards
brd

Bernard Robertson-Dunn
Sydney Australia
brd at iimetro.com.au

More information about the Link mailing list