Security researchers have a hard job, with vendors often ignoring their
research or, worse yet, slapping them with a lawsuit or criminal charges
for finding bugs. Even when vendors take them seriously, it
is difficult to turn good research into something you can eat, or pay the
rent with. Finding and reporting vulnerabilities is often a "loss leader"
for a security company or researcher; it is hoped that the credit they get
will translate into sales of their products or services. A new
vulnerability auction site seeks to
change that, by directly turning vulnerabilities into cash.
A Swiss company, WabiSabiLabi, runs the
MarketPlace auction site to "enable security researchers to get
a fair price for their findings and ensure that they will no longer be
forced to give them away for free or sell them to cyber-criminals,"
according to the press release
announcement. WabiSabiLabi is also in the business of providing security
consulting which may be connected, as they claim to provide information on
"known and unknown" vulnerabilities. Though there is no mention of cost
for providing the auction service, early warning of zero-day
vulnerabilities could be part of what the company charges researchers.
The model for the MarketPlace site is eBay, with several types of sales
available, including traditional and dutch auctions. There is also the
"Buy now!" option and, something specific to MarketPlace, the "Buy
exclusively" option which, if offered and then used by a bidder, does not
allow the vulnerability to be auctioned again. WabiSabiLabi serves as an
intermediary in the transaction, in some ways like an escrow service; they
test and vouch for the vulnerability while protecting the identities of the
sellers and bidders.
At first blush, this would seem a perfect way for a criminal organization
to pick up vulnerabilities to use to further their aims, but WabiSabiLabi
claims to scrutinize both buyers and sellers, before allowing them to use
the site. The registration
page warns that one will be required to fax an id card and telephone
number before being granted access to the site, but one would hope their
vetting process is more stringent than that. For buyers in particular,
the bar should be set quite high, if undisclosed vulnerabilities are
So far, there are four vulnerabilities listed on the site, two of which
have bids. The first is a Linux kernel information disclosure that allows
processes to read arbitrary kernel memory in 2.6 kernels up through
22.214.171.124, also known as CVE-2007-1000.
The second is a SquirrelMail
remote command execution bug. At press time, the current high bid for the
kernel bug is €600, while the SquirrelMail vulnerability is at
€700 (and can be bought outright, but not exclusively, for €2650).
It is not entirely clear why anyone would bid for the kernel bug, one
that has a CVE entry and has been fixed in the mainline for four months.
Perhaps the novelty is enough or some buyer has money to burn. On the
other hand, up until a BugTraq posting on 11 July, the
SquirrelMail vulnerability looked like the kind that would draw some
interest. It would appear, though, that even enough information to describe
the bug for the auction, was enough for someone to figure it out. Do the
bidders get to withdraw their bids under that circumstance?
What, exactly, the bidders get is also in question. If the sellers want to
be able to sell multiple times, presumably they do not want buyers
disclosing the vulnerability, which could easily run counter to the aims of
potential buyers (governments or Mozilla for example). It also might be
rather hard to enforce. Perhaps there are security companies who want to
protect their customers immediately from a zero-day, but it would be rather
unethical for them not to work with the vendor to get the bug fixed. Clearly,
the entities most interested in buying vulnerabilities, and keeping
them secret for the long term, are the malicious ones.
Tipping Point, iDefense and others already offer bounties to security
researchers who have discovered flaws. For WabiSabiLabi and MarketPlace
sellers, the best hope is that those companies all start bidding against
each other on the site. A few, high profile, undisclosed vulnerabilities
selling for thousands of dollars, is probably all it will take to propel the
site to success. If that does not occur, one hopes that WabiSabiLabi will
not fall into dealing with criminals, even though the return is likely to
be much better.
Security researchers should be rewarded, rather than punished, for
their work, but it remains to be seen if this particular idea will help
accomplish that goal.
to post comments)