Site Hopes to Become eBay of Vulnerabilities
A new auction site is making a business out of selling security exploits, saying the current methods of rewarding researchers for their work is broken.
Called WSLabi, the company behind it hopes that it will end the practice of researchers being forced to give away their work for free or sell it to cyber-criminals. They also hope that it will increase the number of publicly disclosed vulnerabilities.
In 2006, more than 7,000 flaws were disclosed, but studies suggest that as many as 132,000 more could have been disclosed if there were safe methods to disclose the flaw, as well as a way for researchers to be reimbursed for their work, WSLabi says.
Currently, vulnerabilities are sold to one company on an exclusive basis for $300-$1000. However, WSLabi believes that those payments could multiply ten to twenty times using their auction service.
"Our intention is that the marketplace facility on WSLabi will enable security researchers to get a fair price for their findings," CEO Herman Zampariolo said in a statement.
WSLabi tests each exploit in an independent lab, and then packages it with a proof of concept code. From there, the researcher can opt to auction it off or sell it to one or more buyers at a fixed price.
Some may find this practice objectionable, however the company says it takes all necessary steps to ensure that both the buyer and seller have the best interests of the public in mind. All buyers are carefully vetted before allowed access to the site.
Even with the identities disclosed to WSLabi, they still trade under nicknames like eBay so that no personal information is disclosed. All sensitive data is held on a separate server, the company says.
Already, three vulnerabilities have been listed on the site, including a Linux kernel memory leak, a Yahoo Messenger remote buffer overflow, a Squirrelmail issue, and a SQL injection risk in MKPortal.
WSLabi will be free for both buyers and sellers for the first six months. After that, a fee of 10 percent will be charged to both buyers and sellers.