A Swiss company launched an eBay-like marketplace this week for buying and selling zero-day software vulnerabilities.
The goal of the WabiSabiLabi (WSLabi) exchange is to reward security researchers without putting valuable information in the hands of criminals, according to a company announcement.
"We decided to set up this portal for selling security research because although there are many researchers out there who discover vulnerabilities, very few of them are able or willing to report it to the right people due to the fear of being exploited," Herman Zampariolo, the company’s CEO, said in the statement. "Our intention is that the marketplace facility on WSLabi will enable security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell them to cybercriminals."
The new business raises the debate over responsible disclosure. Some critics today denounced the venture, saying it invites criminal buyers and exposes end-users to unnecessary risk.
According to the company, registered users can sell their research – once verified by WSLabi’s own laboratory – through an auction, to as many buyers as possible at one price, or privately to a single purchaser. WSLabi profits 10 percent from each purchase.
Both buyers and sellers will be examined to ensure they are legitimate, according to the announcement.
"Researchers cannot submit security research material which comes from an illegal source or activity," the statement said. "Buyers will also be carefully vetted before being granted access to the platform so that the risk of selling the right stuff to the wrong people is minimised."
This includes requiring buyers and sellers send a copy of their identification, be reachable on a landline telephone, provide an identifiable bank account and sign an agreement, said Roberto Preatoni, WSLabi's strategic director, in an email to SCMagazine.com
But Gunter Ollman, director of security strategy for IBM Internet Security Systems, told SCMagazine.com today that he disagrees with the auction site.
"It’s a close match to what’s been existing in the underground," he said. "We’ve got the same sort of people finding these bugs, looking to make money off these bugs, and here we have another channel for them to potentially sell them."
Preatoni disagrees: "Even if you don't buy anything, you get informed for free about the existence of certain vulnerabilities that up to yesterday, were [zero-day]," he said. "The average user can check by himself about new threats, even without having the need to buy the proof-of-concept. In this way the 'underground' is pushed to the surface."
Experts said that legitimate researchers do not want to get paid extra for their findings, which are a part of their jobs.
Ollman added that he wonders how effective the vetting process is and whether WSLabi is profiting through the research, perhaps through penetration tests or consulting services.
Meanwhile, John Hill, security evangelist at McAfee, told SCMagazine.com that he worries identity thieves claiming to be a reputable researcher may try to purchase the vulnerabilities.
He also questions whether policies are in place to guarantee sellers will not turn around and peddle the same research in an underground forum. And Hill said he doubts WSLabi plans to report the research to the appropriate vendors, like the bounty programs at TippingPoint and VeriSign iDefense do, thereby opening the risk for end-users.