Security research: buy low, sell high? [LWN.net]

Security researchers have a hard job, with vendors often ignoring their research or, worse yet, slapping them with a lawsuit or criminal charges for finding bugs. Even when vendors take them seriously, it is difficult to turn good research into something you can eat, or pay the rent with. Finding and reporting vulnerabilities is often a "loss leader" for a security company or researcher; it is hoped that the credit they get will translate into sales of their products or services. A new vulnerability auction site seeks to change that, by directly turning vulnerabilities into cash.

A Swiss company, WabiSabiLabi, runs the MarketPlace auction site to "enable security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell them to cyber-criminals," according to the press release announcement. WabiSabiLabi is also in the business of providing security consulting which may be connected, as they claim to provide information on "known and unknown" vulnerabilities. Though there is no mention of cost for providing the auction service, early warning of zero-day vulnerabilities could be part of what the company charges researchers.

The model for the MarketPlace site is eBay, with several types of sales available, including traditional and dutch auctions. There is also the "Buy now!" option and, something specific to MarketPlace, the "Buy exclusively" option which, if offered and then used by a bidder, does not allow the vulnerability to be auctioned again. WabiSabiLabi serves as an intermediary in the transaction, in some ways like an escrow service; they test and vouch for the vulnerability while protecting the identities of the sellers and bidders.

At first blush, this would seem a perfect way for a criminal organization to pick up vulnerabilities to use to further their aims, but WabiSabiLabi claims to scrutinize both buyers and sellers, before allowing them to use the site. The registration page warns that one will be required to fax an id card and telephone number before being granted access to the site, but one would hope their vetting process is more stringent than that. For buyers in particular, the bar should be set quite high, if undisclosed vulnerabilities are changing hands.

So far, there are four vulnerabilities listed on the site, two of which have bids. The first is a Linux kernel information disclosure that allows processes to read arbitrary kernel memory in 2.6 kernels up through 2.6.20.1, also known as CVE-2007-1000. The second is a SquirrelMail remote command execution bug. At press time, the current high bid for the kernel bug is €600, while the SquirrelMail vulnerability is at €700 (and can be bought outright, but not exclusively, for €2650).

It is not entirely clear why anyone would bid for the kernel bug, one that has a CVE entry and has been fixed in the mainline for four months. Perhaps the novelty is enough or some buyer has money to burn. On the other hand, up until a BugTraq posting on 11 July, the SquirrelMail vulnerability looked like the kind that would draw some interest. It would appear, though, that even enough information to describe the bug for the auction, was enough for someone to figure it out. Do the bidders get to withdraw their bids under that circumstance?

What, exactly, the bidders get is also in question. If the sellers want to be able to sell multiple times, presumably they do not want buyers disclosing the vulnerability, which could easily run counter to the aims of potential buyers (governments or Mozilla for example). It also might be rather hard to enforce. Perhaps there are security companies who want to protect their customers immediately from a zero-day, but it would be rather unethical for them not to work with the vendor to get the bug fixed. Clearly, the entities most interested in buying vulnerabilities, and keeping them secret for the long term, are the malicious ones.

Tipping Point, iDefense and others already offer bounties to security researchers who have discovered flaws. For WabiSabiLabi and MarketPlace sellers, the best hope is that those companies all start bidding against each other on the site. A few, high profile, undisclosed vulnerabilities selling for thousands of dollars, is probably all it will take to propel the site to success. If that does not occur, one hopes that WabiSabiLabi will not fall into dealing with criminals, even though the return is likely to be much better.

Security researchers should be rewarded, rather than punished, for their work, but it remains to be seen if this particular idea will help accomplish that goal.

(Log in to post comments)

putting a price on lax security...

Posted Jul 19, 2007 12:34 UTC (Thu) by jabby (guest, #2648) [Link]

Actually, I was just thinking that this is a good way to get development companies who undervalue security auditing to put a realistic value on it. When they see what it will cost to buy themselves out of trouble ("Buy exclusively!"), perhaps they will see the relative cost-effectiveness of dedicating resources to security in their development processes. If not, at least it forces them to pay for their lax approach to security.

Re: punishment... I don't believe in punishment. In the first part of the theory, people learn to avoid the negative consequence and adjust their behavior in the future. That part might have some bearing on reality, but it certainly hasn't solved the problems of society (think "recidivism", "repeat offenders"). The other part of the theory is that the knowledge of the punishment will cause people to avoid the behavior in the first place. This just hasn't been shown to work (think "partial reinforcement"). In general, I find that understanding the source/motive of the bad behavior and addressing it at that level is far more effective.