July 6th, 2007

Auction site opens up for exploits, vulnerabilities

Posted by Ryan Naraine @ 8:52 am

Categories: Apple, Botnets, Browsers, Data theft, Exploit code, Google, Hackers, Metasploit, Open source, Oracle, Passwords, Patch Watch, Pen testing, Responsible disclosure, Viruses and Worms, Vulnerability research, Zero-day attacks

Tags: Auction Site, Researcher, Vulnerability, Flaw, There, Ryan Naraine

There’s a new player in the exploding market for zero-day vulnerabilities — an eBay-like auction site offering a place to buy and sell flaw research information.

The Swiss-based site, called WabiSabiLabi, launched earlier this week with proof-of-concepts and details on four vulnerabilities being hawked at prices ranging from 500 Euros to 2000 Euros.

The launch (Techmeme discussion) balances the playing field for researchers who struggle to get a fair price for zero-day flaw information.

It’s well known that there’s an active underground black market for vulnerabilities but white researchers looking to profit from their work — and get bugs reported responsibly to affected vendors — have only a few places to turn.

[ SEE: Should Microsoft start paying for vulnerabilities? ]

On the legitimate side, companies like TippingPoint, iDefense and Immunity all purchase exclusive rights to flaws and exploits but, as Charles Miller explained to Rob Lemos, the market isn’t fair to sellers because there is no way to test the true value of a bug.

With WabiSabiLabi, this could change.

Chief executive Herman Zampariolo explains the idea:

We decided to set up this portal for selling security research because although there are many researchers out there who discover vulnerabilities very few of them are able or willing to report it to the right people due to the fear of being exploited. Recently it was reported that although researchers had analyzed a little more than 7,000 publicly disclosed vulnerabilities last year, the number of new vulnerabilities found in code could be as high as 139,362 per year. Our intention is that the marketplace facility on WSLabi will enable security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell them to cyber-criminals.

When a registered researcher submits a flaw for auction, WabiSabiLabi will verify the research by analyzing and replicating it at their independent testing laboratories.

WSLabi will also help researchers to design the best business model (e.g. selling schemes, starting selling price etc.) which will enable them to maximize the value of their findings. For example, a piece of research that would currently sell to one company on an exclusive basis for $300 - $1000 could sell for ten to twenty times more than this amount using the portal.

More from Dancho Danchev and Matasano’s Dave Goldsmith.