A site to auction off vulnerabilities

Application vulnerabilities and security flaws will henceforth be marketable, thanks to the Swiss security firm, WabiSabiLabi (its name is a conceptualization of "imperfect, impermanent, and incomplete," derived from Buddhism). The new marketing scheme will make it possible for security researchers to auction off information about security exploits to the highest bidder online.

Here's a quote from an article at Dark Reading:

"Recently it was reported that although researchers had analyzed a little more than 7,000 publicly disclosed vulnerabilities last year, the number of new vulnerabilities found in code could be as high as 139,362 per year," said WSLabi CEO Herman Zampariolo, in a written statement. "Our intention is that the marketplace facility on WSLabi will enable security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell them to cyber-criminals."

The claims of the company executives apart, the business model could stir a hornet's nest, as there's always a chance that the exploit can be bought and deployed for illegal purposes. WabiSabiLabi executives confirmed that all measures would be taken to ensure that illegitimate security flaws were not sold over the site. Also, all the loopholes would be tried out before being posted on the site.

More links:

Security exchange trades zero-day flaws (VNUnet)

Finally, a marketplace site for security research (Zone-H.org)

Earlier, security researchers had to share the vulnerability information with the software makers through Ethical Disclosure, the terms of which have not exactly been to the advantage of the vulnerability discoverers. But the crux of the issue is this: Is it in the best interest of the software ecosystem to let vulnerabilities be marketed online? Security is crucial for enterprises and home users alike, and your opinion matters most. Join the discussion.