July 6, 2007 8:52 AM PDT

Auction site sells security exploits

An eBay-like auction site that sells vulnerabilities will improve security by ensuring researchers get a fair price for their work, its founders say.

"The existing business model to reward researchers is a failure," said Herman Zampariolo, chief executive of WSLabi, and the man behind the WabiSabiLabi auction site. A tiny minority of vulnerabilities currently get patched, he said, because IT experts aren't paid for their work in uncovering them: "If the firemen are not paid, it's not easy to extinguish a fire."

"As long as vulnerabilities are bought and sold privately, the value can't be the right one," Zampariolo said. "Our intention is that the marketplace facility on WSLabi will enable security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell them to cybercriminals," he added.

The site currently holds a remote buffer overflow in Yahoo Messenger, a Linux kernel memory leak, an SQL injection flaw in MKPortal and a SquirrelMail problem.

Although researchers analyzed around 7,000 vulnerabilities last year, he reckons the actual number of vulnerabilities found in code per year could be 139,362--a curiously exact figure, originally quoted by Gunter Ollmann of security company ISS, now an IBM subsidiary.

This situation led Zampariolo, previously chief executive of Italian network company iLight, to set up the WabiSabiLabi site, along with strategic director Roberto Preatoni, founder of the Zone-h.org cybercrime archive. So far, no bids have been posted, possibly because of delays in identifying the buyers, each of whom must use snail mail or fax to deliver proof of their identity and their bank account--electronic currencies are not accepted on the site. Around 20 buyers have been registered so far, as well as 30 sellers, who have provided another batch of flaws that should be on the site next week.

"We are going full steam ahead," Zampariolo said. "More vulnerabilities have been submitted, and we are certifying and formatting them. Tomorrow is Saturday, and no one is going home."

Buyers can use nicknames to trade anonymously, although WSLabi will know who they are. Any exploits on the site must be disclosed to WSLabi, which will verify they are genuine, and provide a "proof of concept" to the eventual buyer. The lab has a staff of 10 engineers and others it can hire on a freelance basis.

The marketplace will be free to join and use for six months. After that, it will charge a fee of 10 percent to buyers and sellers, but the main revenue will be from services it offers to third parties using the knowledge base of vulnerabilities it has built up. This revenue will be shared with the finder of the vulnerability, and Zampariolo hopes that some companies will subscribe to these services instead of running their own security labs.

Existing security companies are split 50-50 over the value of WabiSabiLabi, but some stand to lose out, according to Zampariolo: "We are aiming to redesign completely the way security is handled. If our initiative is successful they will suffer." Among the likely losers will be iDefense and ISS, he said.

Among the critics is David Perry, director of education at Trend Micro. He described WabiSabiLabi as "an eBay for vulnerabilities" in published articles, asking: "How do we know who's good and who's bad when we do this?"

WSLabi is backed by about 5 million euros ($6.8 million) from individual investors, and hopes to float on a stock exchange (probably London's AIM or a similar exchange in Oslo) in around 18 months.

Peter Judge of ZDNet UK reported from London.

See more CNET content tagged:
auction site, vulnerability, buyer, researcher, security company

2 comments

Join the conversation!
Add your comment
Fair Market Value...
It's just common sense. Those whom divulge security exploits don't get paid for doing it. They get harped on if they don't divulge them properly (without notifying the entire world about them first) by secretly contacting the manufacturers of those security weak products.

But manufacturers such as Microsoft don't act upon such notifications ASAP and they pay virtually nothing for such notifications.

That makes discovering and responsibily disclosing weaknesses not worth a cent.

To top it off, if/when the manufacturers whom have been responsibly informed of such exploits decides to do nothing to fix those expoits and the finder decides to go public to exploit the lax security practices of the manufacturer... the manufacturer comes down on the finder and tries to exploit them as the bad guy for divulging such weaknesses to the open public before a patch is made.

Even if that responsible disclosure was made to the manufacturer months ago!!!

And there in lies the problem.

Responsible disclosure to irresponsible manufacturers is meaningless. End result, hold the manufacturer for ransom or else disclosure to the public will be made. But that too, taints the image of the good guy whom is made to look bad because he doesn't get paid from the irresponsible manufacturers... "namely Microsoft" along with a few others.

This new proposal however, will make it profitable and thus encourage; rather than discourage (which has been the past examples) people to find more bugs.

If the manufacturer is interested in finding out those details... then they must pay top e-bay dollar prices to receive such information.

Those whom don't feel it worth the time or effort will eventually be exploited. (* GRIN *)

Gotta love it when a plan comes together.

And it's also about time that the good guy quits getting painted as the bad guy.

From now on it will be painting the irresponsible manufacturer for not paying top dollar to find the exploits available in their company's products. (* GRIN *)

Walt
Posted by wbenton (522 comments )
Reply Link Flag
So, we should pay
people for exploiting security holes. Nice, tell me again, what is the difference between exploiters and exploiters? The net and PC's weren't meant for security, they were meant to facilitate from the very begining. The people that engage in maliciously exploiting software or computers should be hunted down like the dogs that they are and sent to prison. Then there would be no need for exploiters to get paid. You know that there are people that pay good money for someone to exploit weaknesses for evil purposes. If we pay good money for people to exploit weaknesses for not so evil purposes, then aren't we inviting a bidding war? What is to stop a person from working both sides? The goodness of their heart? Yeh, that's something we should encourage. Cut the crap, make it manditory federal time and have the feds hire the good guys. Then maybe we'll see a slow down in all this mess. The nature of software is to enable, not disable. We'll never get out of the cycle if we leave it to the software companies, it is beyond their ability.
Posted by suyts (824 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.