Found a security flaw in Windows or Linux and eBay won’t let you post it to its Everything Else section? Not a worry, just let WabiSabiLabi sell it for you.
WSLabi opened for business this week. The company said its Web site will offer known and verified vulnerabilities in applications and operating systems and promises to do it an open way, as opposed to the underground sales sites where exploits are sold and traded in the shadows of the Internet.
WSLabi bills itself as a “neutral, vendor-independent Swiss laboratory” that verifies all vulnerabilities submitted to the site in its own labs before allowing them to be auctioned.
It currently has four auctions running, including a Yahoo Messenger exploit and a Linux kernel memory leak. The Linux bid is at 600 Euros with one bidder while the Yahoo bid has no bidders at its starting price of 2000 Euros.
Herman Zampariolo, CEO of WSLabi, said in a statement “We decided to set up this portal for selling security research because although there are many researchers out there who discover vulnerabilities very few of them are able or willing to report it to the right people due to the fear of being exploited.”
WSLabi estimates that while researchers had analyzed a little more than 7,000 publicly disclosed vulnerabilities last year, the number of new vulnerabilities found in code could be as high as 139,362 per year. It did not say how it arrived at so precise a number.
“Our intention is that the marketplace facility on WSLabi will enable security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell them to cyber-criminals,” said the statement.
The reaction among security experts is more along the lines of “Are you kidding me?!!!”
Marc Maiffret, CTO and co-founder of eEye, compared paying for security vulnerabilities to paying ransom for a kidnapping.
“As soon as software vendors start paying for them, the price will go up, and it becomes extortion at that point,” he told internetnews.com. “So [the bids] will either get bought by security companies so they have clout but most likely it will be used by bad guys to create spyware or something like that.”
Natalie Lambert, senior analyst with Forrester Research, didn’t see much value in the site either. “I don’t see this necessarily as doing good by selling [vulnerabilities]. That’s what a lot of the security researchers do for free. Maybe it’s for overall good but I see no reason to make money on this. This seems like making money on something that isn’t theirs,” she said.
WSLabi said researchers and buyers would have to identify themselves to WSLabi to ensure they are legitimate before making a purchase, and no bids can be submitted if they come from an illegal source or activity. Buyers will also be carefully vetted before being granted access to the auction platform so that the risk of selling the right stuff to the wrong people is minimized.
Maiffret admitted that there is not a lot of motivation for independent researchers to work with vendors because vendors can be slowpokes at getting things fixed, “but I’m not sure this is the right way to do it, though. I hope that security companies take the high ground and don’t support these guys.”