Auction Site To Sell Security Vulnerabilities

talkinsecurity writes "A Swiss research lab has built an eBay-like marketplace where hackers and researchers can sell the security vulnerabilities they discover to the highest bidder. WabiSabiLabi could replace the back-room, secret sites where researchers and hackers used to sell their exploits and replace them with a neat, clean way to make money by finding security flaws. Those who have seen the site say they are concerned about how the buyers will be vetted, and how the marketplace will ensure the flaws aren't found through illegal methods."

Re:Bidding up

[MadUndergrad]

Yeah, like it or not there's a good deal of trust involved for sites like eBay. I don't think that's going to work when extortion and thousands of dollars are on the line.

sounds good to me

[nanosquid]

Companies like Microsoft seem to have developed the attitude that people shouldn't find their security holes at all, but if they do, they should be obligated to report them for free.

I think a free market approach like this is good.

As for vetting buyers and sellers, I don't think that's either necessary or desirable. If people find security holes through "illegal means" (whatever that means), it's a matter for the police and courts. And if the mafia outbids Microsoft, well, then Microsoft will have to live with the consequences or pay more next time. Companies like Microsoft should be exposed to the true costs of their security vulnerabilities, and they will be exposed to that only if the "bad guys" are in on the bidding, because vulnerabilities aren't worth a lot to the other "good guys".

If prices and damages get high enough, companies will invest enough in software development to stop creating security vulnerabilities in the first place.

Re:sounds good to me

[suv4x4]

Companies like Microsoft seem to have developed the attitude that people shouldn't find their security holes at all, but if they do, they should be obligated to report them for free.

I think a free market approach like this is good.

Oh yea, free market always works! Especially when the bidders in this case would actually gain financial benefit from said "goods" by illegal access to people's machines.

Software companies that produce products will be forced to "pay up" or let the vulnerability go to said parties above.

Other free markets that work just fine, and bidding works miracles in there:

* Human Organ Markets
* Internet domains
* Fire Weapons, Biological Weapons, Missiles
* Kidnapping journalists in Iraq for bounty
* De-regulated utility monopolies
* Open Market Health Insurances

The world is full of amazing examples where the best thing EVAH to do, was just sit there in awe and think "it's perfect"!

How would you know that it is only sold once?

[EmbeddedJanitor]

After all, who's going to try claim "ownership" of an exploit?

Re:How do you preserve value?

[GizmoToy]

I agree. Once you tell the bidder what the flaw is in, and give a good enough description of it to garner bids, someone is going to be able to track it down for themselves for free. Not the best business model.

Ripoff Central?

[Penguinisto]

eBay is bad enough when it comes to the occasional scam (though I've been quite lucky with all the purchases and sales on it I'd made thus far, there are more than enough ripoff stories about...)

While someone dumb enough to, say, screw over a Russian Mafiya buywer, I can see where there would be more than enough idiots out there who would happily try (and hiding behind eGold and proxies, etc for payments... it may even be feasible )

Not like there would be much in the way of honor among theives when it comes to a near-total-anonymous thing like malware and malware kiddies...

(besides, all one would really have to do to make a killing as a seller is to dredge through securityfocus' vulns DB... the smart crims would avoid bidding on it, and the dumb ones? Well...)

/P

Laws Are _Not_ Universal

[Secret+Rabbit]

"""
and how the marketplace will ensure the flaws aren't found through illegal methods.
"""

In which country?

Its simpl;e, really - and why it won't work

[tomhudson]

It reminds me of the joke:

Man: I just lost my wallet with $1,000.00 and my credit cards in it. I'll give whoever finds it $100.00.
Voice from back of room: $I'll give $200.00

If its a real vulnerability, you can sell it over and over again. None of the buyers is going to leak it - they'd lose their investment, and chance to make $$$.

So, sell it once for $X, or sell it 20 times for $X/2?

This is just someone else with a lame attempt to insert themselves into a market.

Competition for VCP and ZDI

This will be interesting to see how it plays out. The two main legitimate vulnerability purchasers at the moment are iDefense's VCP (http://labs.idefense.com/vcp/) and Tippingpoint's ZDI (http://www.zerodayinitiative.com/). An open market place for researchers to sell their work is a good thing if implemented correctly. Previously their is little or no room to negotiate a fair price and all the information must be disclosed to the buyers first (Trust is assumed they will not use the information if they decied not to buy). Having a third party running an auction/fixed price sell will hopefully bring out the legitimate market for this kind of research. On the flip side, their is a large can of ethics laden worms being opened up and again I will be interested to see in a years time if the WabiSabiLabi marketplace is still operating successfully. Here is an interesting paper on The Legitimate Vulnerability Market : http://weis2007.econinfosec.org/papers/29.pdf

perceived problem

[mathfeel]

While I applaud this free-market approach to vulnerability and that careless software engineering should cost company money, I have to ask the question. How do bidder verified that a bug is indeed found as claim? I mean, what's stop someone from claiming bug X exist, ask for a bid, and leave the bidder in cold? I suppose the same problem with ebay but in ebay, at least there is a picture (not necessarily of the item itself of course). What's there to stop cyber racketeering and blackmailing??

I give it a month.

[jcr]

This is going to vanish under an avalanche of litigation.

-jcr

Re:How do you preserve value?

[RealGrouchy]

You preserve value the same way you do with eBay--you don't.

If you want to make a lot of money selling $PRODUCT, eBay is not a very good place to do it, particularly when the market is flooded.

This will probably only be used by lazy white-hats who don't want to bother finding a black-market purchaser for their exploit--assuming there are sufficient quantities of supply and demand.

As with many "new overarching central service to do X" stories and sites on /., this one will probably also go down the tubes.

- RG>

I wash my hands.

[WK2]

Sounds like a great way to wash your hands after selling a vulnerability to the mafia. "I don't know who you are, or what you intend to do with this weapon. I don't want to know."

Re:"illegal methods" ?

[Architect_sasyr]

Reverse Engineering - Legal Actually most EULA's prohibit this, thus making it illegal, and I believe copyright law's have a similar result. This is a fine line to walk (and IANAL) but I believe it would still be illegal. Something like fuzzing on the other hand is probably not, except that you then generally have to reverse engineer the application to get some good, solid, working shellcode in there.