Security

A site to auction off vulnerabilities


Application vulnerabilities and security flaws will henceforth be marketable, thanks to the Swiss security firm, WabiSabiLabi (its name is a conceptualization of "imperfect, impermanent, and incomplete," derived from Buddhism). The new marketing scheme will make it possible for security researchers to auction off information about security exploits to the highest bidder online.

Here's a quote from an article at Dark Reading:

"Recently it was reported that although researchers had analyzed a little more than 7,000 publicly disclosed vulnerabilities last year, the number of new vulnerabilities found in code could be as high as 139,362 per year," said WSLabi CEO Herman Zampariolo, in a written statement. "Our intention is that the marketplace facility on WSLabi will enable security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell them to cyber-criminals."

The claims of the company executives apart, the business model could stir a hornet's nest, as there's always a chance that the exploit can be bought and deployed for illegal purposes. WabiSabiLabi executives confirmed that all measures would be taken to ensure that illegitimate security flaws were not sold over the site. Also, all the loopholes would be tried out before being posted on the site.

More links:

Security exchange trades zero-day flaws (VNUnet)

Finally, a marketplace site for security research (Zone-H.org)

Earlier, security researchers had to share the vulnerability information with the software makers through Ethical Disclosure, the terms of which have not exactly been to the advantage of the vulnerability discoverers. But the crux of the issue is this: Is it in the best interest of the software ecosystem to let vulnerabilities be marketed online? Security is crucial for enterprises and home users alike, and your opinion matters most. Join the discussion.

11 comments
pr.arun
pr.arun

Is auctioning vulnerabilities safe for the full spectrum of users involved with a software?

Julien Thomas
Julien Thomas

For me, I think that the most important point with this website is that somethingg may change, depending on how it will evoluate. Nowadays, researchers are not well recognized for their work when they discover security holes. Let's have a look at a recent event about a bug disclosure. Sorry for the fact that I forgot what was th real subject, but here is the fact : A researcher discovers many security holes. He contacted the publisher but no responses came back for at least one week. He had to post on a forum developers where used to go and to threaten them form disclosing the bugs before they contact him ! Will this marketplace change this, I think. But will it have many impact, I don't know. For the security aspects about bugs disclosures due to hackers (!! ?) who would bid high, the website administrators indicate that they will validate inscription and may be bidding (I think). So ...

therealbeadweaver2002
therealbeadweaver2002

IF security vulnerabilities ARE sold online, and a criminal bids higher than the manjfacturer, and the manufacturer does nothing about it, then, i personally, will just NOT USE ANYTHING from THAT manufacturer. If enough do this, then maybe the manufacturer would get on the ball and START REPAIRING it's products.

Absolutely
Absolutely

The article is interesting, but I'm skeptical of this Swiss company's apparent assumption that the software so well-known for its many vulnerabilities is so because they don't know it's crap when they release it. If purveyors of crap software cared about the quality of their work they'd pay some full-time workers to do the same work. As we know, they aren't doing that, or aren't doing it enough to really be *ahead* of the bad guys. So, I don't see any basis for assuming that one more publisher or distributor of information about security liabilities is going to provide the impetus to make a quality product that really can only be delivered by a true competitor -- meaning, another provider in the same product space, capable of doing business on the same scale. Without real competition we're going to have to keep settling for uncompetitive businesses and their practices.

pr.arun
pr.arun

Yes, indeed, unless there are competing products in the same space, firms may not be concerned enough to fix issues. But atleast the swiss firm provides a relevant channel for such vulnerabilities to be showcased. I mean, the idea as a whole seems novel. The concern is whether it sends the right message to software makers.

Absolutely
Absolutely

I just don't think it's terribly likely that having the information "out there" is going to be the impetus that makes a significant change in the market. Lexis-Nexis has been around for how long, and how many people are still ignorant of its contents?

robocso
robocso

For as long as there has been software companies have relied on the expert user to find and report bugs and vulnerabilities without reward. It is high time that big companies started rewarding users/researchers who through their submissions improve a product. Let Microsoft and others pay the security researcher for the time it took to find a vulnerability just as they would have paid one of their own staff members. No more free lunch for Big companies making billions out to their software.

hdn.de
hdn.de

... when rules were set up disclosing the vulnarability at last to the public together with the complete auction history, purchasers of the software and maybe even su?pport contracts could hold their software suppliers liable for proven failure to act on those vulnarabilities putting them and their business at risk while maximizing their profit. This could really change business model for companies like Oracle a lot! So I think it won't take us long to see them taking massive legal measures against that swiss vBay...

pr.arun
pr.arun

they would be taking a chance with coming under lot of fire if the fixes are not implemented in a short period of time. One plausible scenario could be where the site makes the vulnerability publicly available after a negotiated period of time from the purchase date. There are risks involved, but it would get the software maker to quicken the development of a fix.

Tig2
Tig2

But is it the best execution? By selling a software makers vulnerabilities on an open market, we can reasonably reduce the chances that those vulnerabilities will be made known- or fixed. I grant that there have been vulnerabilities reported that have gone months without fixing. But those were known to the technical public and the information made available to the general public. With that information in hand, we could often help our end users make better product choices. We could at least manage the risk better. In this model, the software maker has the ability to purchase the knowledge and hide it away. To my mind, not the best outcome. From another perspective, when is the right time to call out a vulnerability? Before or after the software maker has been informed? It will be interesting to see what happens with this.

midniteone
midniteone

because, to some extent, it's out there already. I suppose they're trying to get more 'good guys' - i.e. people wanting to solve the problem not exploit it - to join in the game, and trying to making it lucrative (or at least worthwhile) for them to do so. presumably anyone already trying to make money out of it (and having the time/skill/inclination) could already post the info on a variety of media so it's not as if this sort of info is under some kind of monopoly control. it's unlikely that a comparative newcomer will open up some sudden and startling new vulnerability in IE or any of the other browsers (just as a random example, you understand!!) which a 'savvy' criminal won't have found or considered already. It's maybe not a bad idea to open up what could be quite a murky corner of the operation. having said that, it doesn't actually solve the problem of the software providers (etc) needing to actually FIX the things once they're made known (cf forum item on 52% of Vista unpatched in 6 months). now if we started paying people to do THAT part of the work...(?) as for the eco-system, either darwinism will kick in (and only the strongest hang on) or the existing multiway and antagonistic pseudo-monopolies will sustain themselves as always.