Security

We don't need an eBay for security holes

It's been likened to an eBay for hackers -- new security site WabiSabiLabi is a market place for auctioning security vulnerabilities.

It's been likened to an eBay for hackers — new security site WabiSabiLabi is a market place for auctioning security vulnerabilities. If you visit the market place right now you too can bid on a remote code vulnerability in a linux package, or a buffer overflow in OpenOffice for just the low, low price of 2 thousand Euros.

Does this make anyone else out there really uneasy? It strikes me as a really bad thing to legitimise the buying and selling of vulnerabilities. It's nothing less than putting the security of innocent web users at at the mercy of the highest bidder. Who do you think has got more to gain by it's purchase, the guy who's wants to use it as part of a phishing swindle, or a generous soul practicing full disclosure. Now ask yourself who's going to pay 2 grand for it.

I'm not naive enough to think that the clandestine selling of security holes hasn't been going on for years already. Maybe it's now that it's all out in the open thats causing the problem for me, but i'd just hate to see this become the point of security research. I mean for a lot of people it's going to become a case of, why give away for free what you can make money off so easily? Altruism works fine up to a point, but if the dominant method of disclosure is privately selling to the highest bidder, then it's going to be mighty tempting to a lot of folk.

What is the mechanism in place to stop nefarious characters from getting their hands on the vulnerabilities? A rigorous identity check. Bound to work when you're dealing with hackers, to get past that they'd have to be able to do something impossible like steal someones identity on the Internet. Hah!

Who are these WabiSabiLabi guys anyway? Their contact info is just a business address in Switzerland. However, the site owners get access to every piece of 'security research' sold on the site with the premise that they can verify that the vulnerability does in fact exist.

What is then to stop them turning around and selling the information to a third party? Nothing but their conscience. Nothing against the WabiSabiLabi owners but this is the Internet.

One thing we do know about them is that they're not the biggest fans of ethical disclosure. Their FAQ has got this to say:
"The system introduced by 'ethical disclosure' has been historically abused by both vendors and security providers in order to exploit the work of security researcher's for free. This happens only in the IT security field as for example, nobody in the pharmaceutical industry is blackmailing researchers (or the companies that are financing the research), to force them to release the results for free under an ethical disclosure policy. In this view, WabiSabiLabi has a not-for-free-disclosure policy, explicitly aiming to reward researchers."

Most of the larger vendors won't even consider paying for vulnerability research, and this looks to me like it could be an attempt to force them into playing the game the hackers want. I've got no problem with researchers being rewarded for their efforts, but to a lot of vendors this has got to make them the enemies — they're directly making money off holes in their products. If the vendors want to patch them, they've got to stump up the cash.

So far the market place has only been doing business in the small fry, but even so, with auctions being won at prices of thousands of euro it's nothing to sneeze at for struggling hackers. Who knows how high the bidding could go if say a Windows vulnerability such as the one that gave MSBlaster it's legs hit's the market place?

Editor's Picks

Free Newsletters, In your Inbox