An eBay-style marketplace where researchers and vendors can buy security vulnerabilities has been launched. Run by a Swiss research lab, WSLabi aims to allow security researchers to get a fairer deal for their research. All research will be vetted before a sale can be made, and users will also be checked to ensure criminals do not buy exploits or sell illegally obtained attacks, according to the company.
Once findings have been verified, they will be packaged with proof-of-concept code before being sold via an auction format. Herman Zampariolo, CEO of WSLabi, said: "Recently it was reported that although researchers had analysed more than 7,000 publicly disclosed vulnerabilities last year, the number of new vulnerabilities found in code could be as high as 139,362 per year. Our intention is that the marketplace facility will help security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell to cyber criminals."
Although many vendors try to gain an edge by buying security flaw data from independent researchers, the auction site marks a new level of transparency in this potentially murky market. Payments are known to vary widely, but the maximum is thought to be around £5,000. Selling the same information on the black market is likely to generate more, albeit illegal, revenue.