There are many ways vulnerability information can get out to the industry but a controversial new site, auctioning such information to the highest bidder, may be the wave of the future.
The auction service, called WabiSabiLabi, lets potential sellers and buyers connect e-Bay-style, with timed bidding periods and minimum starting prices. Founders of the wslabi.com site say their auction house serves the researchers who discover vulnerabilities and often don't reap monetary rewards for their time and talent.
The business model is based on a practice that e-Bay shut down 16 months ago saying it promoted illegal activity. At the recent Black Hat show, published reports stated that 88 percent of respondents to an online poll said using such sites is dangerous. While it is accepted that researchers deserve to be paid for their work, selling to the highest bidder is frowned upon.
WabiSabiLabi disagrees, saying its e-marketplace, where any qualified buyer can bid, will actually discourage those who discover vulnerabilities from selling them on black markets to criminals who try to turn them into money.
The company says it checks out buyers and sellers before they can trade. "We are very aware about the risks of selling vulnerabilities, and this is why we subject buyers to deeper scrutiny, to minimize the risk of selling the wrong information to the wrong people," WabiSabiLabi says in its ethics statement. "We require non-anonymity from buyers and sellers alike. The stakes are just too high at this point in history."
Even so, the marketplace, which started business six weeks ago, is being eyed cautiously by entities dedicated to eliminating vulnerabilities quickly to avoid criminal exploitation.
"I don't think it's necessarily good for the community," says Jason Greenwood, the general manager of VeriSign's iDefense team, which pays bounties -- sometimes tens of thousands of dollars -- to researchers who discover vulnerabilities. "It will increase the perceived value of vulnerabilities, and the good guys already have trouble competing with the money you can get on the black market."
"There's a real danger that a number of these vulnerabilities will be purchased by buyers who do not turn them over to the vendors," says Terri Forslof, manager of security response for Tipping Point. "Once a vulnerability is turned over to a vendor its value starts to depreciate immediately. If someone paid lots of money for a vulnerability -- say US$75,000 to US$100,000 -- I guarantee they're not giving it to the vendor. Otherwise they've wasted their money."
VeriSign and its competitor Tipping Point, for example, both pay cash for significant vulnerability discoveries in an effort to plug software holes before they can be exploited. The companies then work with the vendors whose software is compromised to find fixes and publish the vulnerabilities.
VeriSign runs quarterly challenges paying as much as US$15,000 for researchers to find particular types of vulnerabilities in particular platforms, Greenwood says. Tipping Point ranks contributing vulnerability researchers as bronze, silver, gold and platinum depending on the quantity and quality of their discoveries, according to its description of Tipping Point's Zero Day Initiative. It rewards them with cash bonuses up to US$25,000 and pays their way to the Defcon and Black Hat security conferences.