RSSSite Hopes to Become eBay of Vulnerabilities
By Ed Oswald | Published July 6, 2007, 3:30 PM
A new auction site is making a business out of selling security exploits, saying the current methods of rewarding researchers for their work is broken.
Called WSLabi, the company behind it hopes that it will end the practice of researchers being forced to give away their work for free or sell it to cyber-criminals. They also hope that it will increase the number of publicly disclosed vulnerabilities.
In 2006, more than 7,000 flaws were disclosed, but studies suggest that as many as 132,000 more could have been disclosed if there were safe methods to disclose the flaw, as well as a way for researchers to be reimbursed for their work, WSLabi says.
Currently, vulnerabilities are sold to one company on an exclusive basis for $300-$1000. However, WSLabi believes that those payments could multiply ten to twenty times using their auction service.
"Our intention is that the marketplace facility on WSLabi will enable security researchers to get a fair price for their findings," CEO Herman Zampariolo said in a statement.
WSLabi tests each exploit in an independent lab, and then packages it with a proof of concept code. From there, the researcher can opt to auction it off or sell it to one or more buyers at a fixed price.
Some may find this practice objectionable, however the company says it takes all necessary steps to ensure that both the buyer and seller have the best interests of the public in mind. All buyers are carefully vetted before allowed access to the site.
Even with the identities disclosed to WSLabi, they still trade under nicknames like eBay so that no personal information is disclosed. All sensitive data is held on a separate server, the company says.
Already, three vulnerabilities have been listed on the site, including a Linux kernel memory leak, a Yahoo Messenger remote buffer overflow, a Squirrelmail issue, and a SQL injection risk in MKPortal.
WSLabi will be free for both buyers and sellers for the first six months. After that, a fee of 10 percent will be charged to both buyers and sellers.
So this company can never make the exploits public because they are selling them so if I was the company of a listed exploit I wouldn't buy it since it's pretty much a secret. But I could see a company buying an exploit on their competitors products which then I can only imagine they would do that to exploit it.
I can also see WSLabi being sued or black listed by companies and pretty much going out of business real quick.
Score: 0
|Just what we needed, a WalMart for vulnerabilities, so even the dumbest hick can buy and exploit them now.
If people sell top secret information to whoever pays most it's called treason, but selling vulnerabilities is suddenly ok?
Score: 0
|Good to know I'm not the only one who thinks this website's idea is just trouble waiting to happen ...
Score: 0
|Sounds like a quick grab of cash for vulnerabilities on WSLabi's part more than assisting the general population.
How long before we have script kiddies/virus writers being the biggest buyer on this site?
I would be more happy if they became an Escrow for the security researchers and sold the solutions back to the companies making the products, and then within an agreed time (say 30-60 days) the vulnerability is publicly announced.
This site is bound to be abused.
Score: 0
|I already saw a post on how to unlock the IPHONE (activate) as long as you have one legitimate account.
Information isn't power, its the power to misuse the information.
Score: 0
|Great, so you have not one, but two iPhones to pay for.
Score: 0
|It doesn/t activate cellular service-- it's just an expensive music player... for now.....
Score: 0
|It's more of a video player. I saw, it's pretty hard as a portable video player, but for a price tag of 600, I will pass.
Score: 0
|This won't help much in increasing "publicly disclosed vulnerabilities." If the buyer doesn't disclose it, it still hasn't been made public.
Most times, if someone other than the author of the exploited software buys from this site, there is no benefit to the public. It isn't any better than if the researcher kept it a secret.
Other than advertising that your firewall or antispyware utility is better than others because it fixes "secret vulnerabilities", is there anyone other than the authors of exploited software who can, even in theory, have a beneficial use for a vulnerability?
Score: 0
|Yeah, this won't be abused at all.
Score: 0
|