Vulnerabilities Marketplace

Monday, July 9, 2007

The goal of the WabiSabiLabi (WSLabi) exchange is to reward security researchers without putting valuable information in the hands of criminals, according to a company announcement.  “We decided to set up this portal for selling security research because although there are many researchers out there who discover vulnerabilities, very few of them are able or willing to report it to the right people due to the fear of being exploited,” Herman Zampariolo, the company’s CEO, said in the statement.  “Our intention is that the marketplace facility on WSLabi will enable security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell them to cybercriminals.”  The new business raises the debate over responsible disclosure.  Some critics today denounced the venture, saying it invites criminal buyers and exposes end-users to unnecessary risk. 

According to the company, registered users can sell their research – once verified by WSLabi’s own laboratory – through an auction, to as many buyers as possible at one price, or privately to a single purchaser.  Both buyers and sellers will be examined to ensure they are legitimate, according to the announcement.  “Researchers cannot submit security research material which comes from an illegal source or activity,” the statement said. “Buyers will also be carefully vetted before being granted access to the platform so that the risk of selling the right stuff to the wrong people is minimized.”  But Gunter Ollman, director of security strategy for IBM Internet Security Systems, told today that he disagrees with the auction site.  “It’s a close match to what’s been existing in the underground,” he said.  “We’ve got the same sort of people finding these bugs, looking to make money off these bugs, and here we have another channel for them to potentially sell them.”…..Meanwhile, John Hill, security evangelist at McAfee, told that he worries identity thieves claiming to be a reputable researcher may try to purchase the vulnerabilities.  He also questions whether policies are in place to guarantee sellers will not turn around and peddle the same research in an underground forum.  And Hill said he doubts WSLabi plans to report the research to the appropriate vendors, like the bounty programs at TippingPoint and VeriSign iDefense do, thereby opening the risk for end-users…..So far, four vulnerabilities – among them, a Linux kernel memory leak and a Yahoo Messenger 8.1 remote buffer overflow – are listed on the marketplace.  Asking bids range from $681 to $2,724.  The only bid offered so far is for a SquirrelMail GPG plug-in command execution exploit.

Reference :

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: