Auction site opens up for exploits, vulnerabilities

Auction site opens up for exploits, vulnerabilities

Summary: There's a new player in the exploding market for zero-day vulnerabilities -- an eBay-like auction site offering a place to buy and sell flaw research information.

TOPICS: Security

Auction site opens up for exploits, vulnerabilitiesThere's a new player in the exploding market for zero-day vulnerabilities -- an eBay-like auction site offering a place to buy and sell flaw research information.

The Swiss-based site, called WabiSabiLabi, launched earlier this week with proof-of-concepts and details on four vulnerabilities being hawked at prices ranging from 500 Euros to 2000 Euros.

Yahoo vulnerability on sale at eBay-type auction site

The launch (Techmeme discussion) balances the playing field for researchers who struggle to get a fair price for zero-day flaw information.

It's well known that there's an active underground black market for vulnerabilities but white researchers looking to profit from their work -- and get bugs reported responsibly to affected vendors -- have only a few places to turn.

[ SEE: Should Microsoft start paying for vulnerabilities? ]

On the legitimate side, companies like TippingPoint, iDefense and Immunity all purchase exclusive rights to flaws and exploits but, as Charles Miller explained to Rob Lemos, the market isn't fair to sellers because there is no way to test the true value of a bug.

With WabiSabiLabi, this could change.

Chief executive Herman Zampariolo explains the idea:

We decided to set up this portal for selling security research because although there are many researchers out there who discover vulnerabilities very few of them are able or willing to report it to the right people due to the fear of being exploited. Recently it was reported that although researchers had analyzed a little more than 7,000 publicly disclosed vulnerabilities last year, the number of new vulnerabilities found in code could be as high as 139,362 per year. Our intention is that the marketplace facility on WSLabi will enable security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell them to cyber-criminals.

When a registered researcher submits a flaw for auction, WabiSabiLabi will verify the research by analyzing and replicating it at their independent testing laboratories.

WSLabi will also help researchers to design the best business model (e.g. selling schemes, starting selling price etc.) which will enable them to maximize the value of their findings. For example, a piece of research that would currently sell to one company on an exclusive basis for $300 - $1000 could sell for ten to twenty times more than this amount using the portal.

More from Dancho Danchev and Matasano's Dave Goldsmith.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Some Zero-Day flaws become 365-day flaws.

    The problem with MS, as everybody knows, is that they bloat the system with so-called Security updates that cause the system to eventually become unstable.

    When this happens to most people, the most common response is to wipe the drive, then re-install the windows version.

    Then... Unless they tell the OS NOT to, the OS re-installs all 274.3 Security updates: Plus the newest 17 updates that came out in the last 15 minutes, and the next 15 and a half Dot-Net critical updates, if not new full versions of Dot net. Tomorrow, will I have to download Dot Net 4.0, 5.0, and 6.0?

    No Thanx... Give me XP with no security updates. I can protect myself fairly well without them.

    However, regarding that site, very interesting. There may even be a VALID reason for people to use it.

    What I am hoping for is that someday, some bright programmer will develop an OS that is Non-Unix or Linux, and that allows every version of every program ever developed for windows: 95, 98, ME, 2000, XP, to run, and that requires NO security updates, will install without handshaking with Microsoft, and I can set my own level of security... STARTING FROM ZERO... And the added choice to leave the computer OFF of any network if I so wish. Can somebody do that for us please?

    The website in this article reflects Microsoft's willingness to change everything right at the moment it becomes stable... Oh, at least twice a day. Why can't programs that ran under windows 3.11, run under Vista... If we want them to? The fact is, even if the code of the program will run in the new envoronment, Microsoft will make sure that the installer will not work.

    I have found that most programs, with just a little bit of research, especially those that refuse to install into the next version target OS... Will actually run under the target OS, but the installers do not.

    What people want is security: Not security in the form MS shoves at us, but security in that the 600 dollars they spent this year on software needed for a certain task will continue to work nest year in subsequent OS environments.

    If MS would stop tweeking with these so-called security updates, and concentrate on making the OS's stable and more accepting of the existing software instead of forcing the developers to make an untimely update, more people would be less willing to USE websites that offer vulnerabilities like this.
    • ?

      • I agree with you, KTLA

        as I came to the same thought myself.