A Switzerland-based company this week launched an eBay-like marketplace for buying and selling zero-day software vulnerabilities.
The goal of the WabiSabiLabi (WSLabi) exchange is to reward security researchers without putting valuable information in the hands of criminals, according to a company announcement.
"We decided to set up this portal for selling security research because although there are many researchers out there who discover vulnerabilities, very few of them are able or willing to report it to the right people due to the fear of being exploited," Herman Zampariolo, the company’s CEO, said in the statement. "Our intention is that the marketplace facility on WSLabi will enable security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell them to cybercriminals."
The new business raises the debate over responsible disclosure. Some critics today denounced the venture, saying it invites criminal buyers and exposes end-users to unnecessary risk.
According to the company, registered users can sell their research – once verified by WSLabi’s own laboratory – through an auction, to as many buyers as possible at one price, or privately to a single purchaser. WSLabi profits 10 percent from each sale.
Both buyers and sellers will be examined to ensure they are legitimate, according to the announcement.
"Researchers cannot submit security research material which comes from an illegal source or activity," the statement said. "Buyers will also be carefully vetted before being granted access to the platform so that the risk of selling the right stuff to the wrong people is minimized."
This includes requiring buyers and sellers send a copy of their identification, be reachable on a landline telephone, provide an identifiable bank account and sign an agreement that, if violated, could result in a lawsuit, said Roberto Preatoni, WSLabi's strategic director, in an email to SCMagazine.com.
L.M.H., the hacker responsible for the Month of Kernel and Apple Bugs projects, doubts WSLabi can ensure the validity of each person.
"What if someone compromises their backend"? he said in an email to SCMagazine.com. "How can they truly know who they are dealing with? Not even government or the most selective organizations are able to trace background..."
Gunter Ollman, director of security strategy for IBM Internet Security Systems, told SCMagazine.com today that he disagrees with the auction site.
"It’s a close match to what’s been existing in the underground," he said. "We’ve got the same sort of people finding these bugs, looking to make money off these bugs, and here we have another channel for them to potentially sell them."
Preatoni said this venture is different because it offers more transparency.
"Even if you don't buy anything, you get informed for free about the existence of certain vulnerabilities that up to yesterday were [zero-day]," he said. "The average user can check by himself about new threats, even without having the need to buy the proof-of-concept. In this way, the 'underground' is pushed to the surface."
Experts said that legitimate researchers do not want to get paid extra for their findings, which are a part of their jobs.
Ollman added that he wonders how effective the vetting process is and whether WSLabi is profiting through the research, perhaps through penetration tests or consulting services.
He also questions whether policies are in place to guarantee sellers will not turn around and peddle the same research in an underground forum. And Hill said he doubts WSLabi plans to report the research to the appropriate vendors, like the bounty programs at TippingPoint and VeriSign iDefense do, thereby opening the risk for end-users.
Preatoni said the company will not report the research.
"We have a 'not-for-free' policy," he said.
So far, four vulnerabilities – among them, a Linux kernel memory leak and a Yahoo Messenger 8.1 remote buffer overflow – are listed on the marketplace. Asking bids range from $681 to $2,724. The only bid offered so far is for a SquirrelMail GPG plug-in command execution exploit.
Click here to email reporter Dan Kaplan.