Forum latest

How much am I offered for this exclusive back door that swings both ways and comes with a door jam?
Written by Daniel   
Monday, 09 July 2007 12:17
An Auction Site for Vulnerabilities
— Tim Wilson, Site Editor, Dark Reading

JULY 5, 2007 | Discover a security flaw in a major application or system? You can't sell it on eBay. But starting this week, you can sell it on a new auction site that's not too much different.

WabiSabiLabi, whose marketplace opened for trading on Tuesday, is aiming to change the back-room market for security vulnerabilities and move it into the mainstream. Any researcher who finds a flaw can register to sell it on WSLabi's marketplace. WSLabi, a "neutral, vendor-independent Swiss laboratory," checks out the vulnerabilities and verifies their validity in its own labs before allowing them to be auctioned.

"This thing could definitely have legs," says Jeremiah Grossman, CTO of WhiteHat Security. "I've heard people talk about selling exploits for a while, auction-style or otherwise, but this is the first auction implementation I've seen. All this would take is a couple of successful transactions, and it could cause a big shift in the way we traditionally think about the vulnerability disclosure process."

There currently are four auctions going in the WabiSabiLabi marketplace, including a Linux kernel memory leak vulnerability that starts at 500 euros.

The marketplace's founders say they believe the "ethical disclosure" policy followed by many security researchers is costing them money. "The system introduced by 'ethical disclosure' has been historically abused by both vendors and security providers in order to exploit the work of security researchers for free," the auction site says.

"This happens only in the IT security field," the site states. "Nobody in the pharmaceutical industry is blackmailing researchers (or the companies that are financing the research) to force them to release the results for free under an ethical disclosure policy.

"In this view, WabiSabiLabi has a not-for-free-disclosure policy, explicitly aiming to reward researchers," the founders state. "The only free information available to both vendors and public will be the general information on each piece of security research listed on the marketplace, which will be enough to understand the issues introduced by each security research, without disclosing any sensible technical detail."

"Recently it was reported that although researchers had analyzed a little more than 7,000 publicly disclosed vulnerabilities last year, the number of new vulnerabilities found in code could be as high as 139,362 per year," said WSLabi CEO Herman Zampariolo, in a written statement. "Our intention is that the marketplace facility on WSLabi will enable security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell them to cyber-criminals."... More

Comment in the Forums 


See also

None found.

Hardware | Windows | Linux | Security | Mobile Devices | Gaming
Tech Business | Editorial | General News | folding@home

Forum | Download Files

Copyright ©2001 - 2012, AOA Forums.  All rights reserved.

Alliance of Overclocking Arts

Links monetized by VigLink

Don't Click Here Don't Click Here Either