WabiSabiLabi.com (WSLabi) is a Swiss company which has
established the market for security vulnerabilities. Chief
executive Herman Zampariolo says that it will help to encourage
research into IT flaws, but the security industry fears that
powerful information could fall into the wrong hands.
The market works by having buyers and sellers register with
WSLabi. Buyers bid on information discovered by researchers
about flaws, or vulnerabilities, in other people's software.
Zampariolo says that it is information, and not tools for
exploiting it, that is sold.
"We didn't invent the idea that you can trade vulnerabilities. A
number of companies are trading them, some of them fully legally,
some others are the hidden side of the market in which are
happening exchanges which are a bit less legal or ethical,"
Zampariolo told weekly technology law podcast OUT-LAW Radio.
"The idea is that it is happening in a market place which
everyone is free to register and in which everyone has a
transparent identity," he said.
The traditional IT security industry has not welcomed the new
marketplace. While its researchers say they go first to software
companies with news of vulnerabilities, so that a solution to the
problem is widely available and the software is safe to use, this
market allows a small number of users to gain the security upper
hand.
"What is in the public interest is that that vulnerability is
provided to the manufacturer of that software so that they can
provide a fix to the public en masse," said Greg Day, a security
analyst at McAfee.
"When somebody puts a vulnerability on to an auction it's sold
off to a private individual or organisation and it's really up to
them what they then do with that, do they use that to launch their
own attack? Do they maybe try and blackmail the manufacturer? The
scope is very broad as to what could be done," said Day.
Zampariolo says that his auction house could improve security by
ensuring that the large numbers of amateur security researchers who
find vulnerabilities are paid for their work. He says they
currently get little more than a t-shirt and $100 from existing
security companies.
"It is a rather unbalanced market in which software vendors are
making profits in the tunes of billions regularly and researchers
are rewarded with a t-shirt or $100 in hand," said Zampariolo. "I
think a bit more equilibrium should be set."
Prices on the market have risen in its first month of operation
from a few hundred to a few thousand dollars for a typical
vulnerability, Zampariolo said.
But Day said that the black market in vulnerabilities offers up
to $75,000 for vulnerabilities, and that WSLabi cannot compete with
those prices in attracting vulnerability sellers.
