Auction site opens up for exploits, vulnerabilities

Summary:There's a new player in the exploding market for zero-day vulnerabilities -- an eBay-like auction site offering a place to buy and sell flaw research information.

Auction site opens up for exploits, vulnerabilities
There's a new player in the exploding market for zero-day vulnerabilities -- an eBay-like auction site offering a place to buy and sell flaw research information.

The Swiss-based site, called WabiSabiLabi, launched earlier this week with proof-of-concepts and details on four vulnerabilities being hawked at prices ranging from 500 Euros to 2000 Euros.

Yahoo vulnerability on sale at eBay-type auction site

The launch (Techmeme discussion) balances the playing field for researchers who struggle to get a fair price for zero-day flaw information.

It's well known that there's an active underground black market for vulnerabilities but white researchers looking to profit from their work -- and get bugs reported responsibly to affected vendors -- have only a few places to turn.

[ SEE: Should Microsoft start paying for vulnerabilities? ]

On the legitimate side, companies like TippingPoint, iDefense and Immunity all purchase exclusive rights to flaws and exploits but, as Charles Miller explained to Rob Lemos, the market isn't fair to sellers because there is no way to test the true value of a bug.

With WabiSabiLabi, this could change.

Chief executive Herman Zampariolo explains the idea:

We decided to set up this portal for selling security research because although there are many researchers out there who discover vulnerabilities very few of them are able or willing to report it to the right people due to the fear of being exploited. Recently it was reported that although researchers had analyzed a little more than 7,000 publicly disclosed vulnerabilities last year, the number of new vulnerabilities found in code could be as high as 139,362 per year. Our intention is that the marketplace facility on WSLabi will enable security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell them to cyber-criminals.

When a registered researcher submits a flaw for auction, WabiSabiLabi will verify the research by analyzing and replicating it at their independent testing laboratories.

WSLabi will also help researchers to design the best business model (e.g. selling schemes, starting selling price etc.) which will enable them to maximize the value of their findings. For example, a piece of research that would currently sell to one company on an exclusive basis for $300 - $1000 could sell for ten to twenty times more than this amount using the portal.

More from Dancho Danchev and Matasano's Dave Goldsmith.

Topics: Security

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.