Site auctions software vulnerabilities to top bidder

WabiSabiLabi site could drive up the cost of fixing holes

There are many ways vulnerability information can get out to the industry but a controversial new site, auctioning such information to the highest bidder, may be the wave of the future.

The auction service, called WabiSabiLabi, lets potential sellers and buyers connect e-Bay-style, with timed bidding periods and minimum starting prices. Founders of the wslabi.com site say their auction house serves the researchers who discover vulnerabilities and often don't reap monetary rewards for their time and talent.

The business model is based on a practice that e-Bay shut down 16 months ago saying it promoted illegal activity. At the recent Black Hat show, published reports stated that 88 percent of respondents to an online poll said using such sites is dangerous. While it is accepted that researchers deserve to be paid for their work, selling to the highest bidder is frowned upon.

WabiSabiLabi disagrees, saying its e-marketplace, where any qualified buyer can bid, will actually discourage those who discover vulnerabilities from selling them on black markets to criminals who try to turn them into money.

The company says it checks out buyers and sellers before they can trade. "We are very aware about the risks of selling vulnerabilities, and this is why we subject buyers to deeper scrutiny, to minimize the risk of selling the wrong information to the wrong people," WabiSabiLabi says in its ethics statement. "We require non-anonymity from buyers and sellers alike. The stakes are just too high at this point in history."

Even so, the marketplace, which started business six weeks ago, is being eyed cautiously by entities dedicated to eliminating vulnerabilities quickly to avoid criminal exploitation.

"I don't think it's necessarily good for the community," says Jason Greenwood, the general manager of VeriSign's iDefense team, which pays bounties -- sometimes tens of thousands of dollars -- to researchers who discover vulnerabilities. "It will increase the perceived value of vulnerabilities, and the good guys already have trouble competing with the money you can get on the black market."

"There's a real danger that a number of these vulnerabilities will be purchased by buyers who do not turn them over to the vendors," says Terri Forslof, manager of security response for Tipping Point. "Once a vulnerability is turned over to a vendor its value starts to depreciate immediately. If someone paid lots of money for a vulnerability -- say US$75,000 to US$100,000 -- I guarantee they're not giving it to the vendor. Otherwise they've wasted their money."

VeriSign and its competitor Tipping Point, for example, both pay cash for significant vulnerability discoveries in an effort to plug software holes before they can be exploited. The companies then work with the vendors whose software is compromised to find fixes and publish the vulnerabilities.

VeriSign runs quarterly challenges paying as much as US$15,000 for researchers to find particular types of vulnerabilities in particular platforms, Greenwood says. Tipping Point ranks contributing vulnerability researchers as bronze, silver, gold and platinum depending on the quantity and quality of their discoveries, according to its description of Tipping Point's Zero Day Initiative. It rewards them with cash bonuses up to US$25,000 and pays their way to the Defcon and Black Hat security conferences.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tim Greene

Network World

Comments

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?