Vulnerability auctions compromising security

A security firm has warned that the market trading in vulnerabilities is 'hotting up', at the expense of responsible disclosure

More security researchers are selling vulnerabilities to the highest bidder rather than disclosing them "responsibly" to the vendor whose products are affected.

At a breakfast briefing organised by email security firm MessageLabs on Wednesday, Graham Ingram, general manager of the Australian Computer Emergency Response Team (AusCERT), said that a market where vulnerabilities in software are traded is hotting up and the rewards for researchers can be very tempting.

"I would speculate that if I am a vulnerability researcher and I have the option of, for example, a nice mention from Microsoft on an advisory under 'responsible disclosure' or pay off my mortgage, which one do I choose?"

Responsible disclosure occurs when a security researcher discovers vulnerabilities in a popular application and then reports them to the relevant vendor rather than publishing the details online or, as has become a trend recently, selling that information to the highest bidder.

"The economy on the marketplace is facilitating the sale of everything you want, from custom Trojans to rootkit, and moving through to things like vulnerabilities, which are a marketable commodity," said Ingram.

Last week, security firm Finjan published evidence, which was compiled by the company's Malicious Code Research Centre, which showed examples of vulnerabilities being sold online.

Finjan's chief technical officer, Yuval Ben-Itzhak, said that researchers will be even more likely to sell their discoveries as the demand — and therefore the price — goes up.

"The name of the game is money… we see a trend towards commercialisation of malicious code. Motivated by financial gain, hackers are honing their skills and becoming more ambitious, targeting the growing numbers of Internet users and stealing personal details and financial information, as well as compromising intellectual property," said Ben-Itzhak.

In Finjan's report, the company published screenshots of emails that seem to be already soliciting bids for vulnerabilities in Microsoft's IE 7 and Windows Vista, which is not going to be released until next year.