Auction Site To Sell Security Vulnerabilities

talkinsecurity writes "A Swiss research lab has built an eBay-like marketplace where hackers and researchers can sell the security vulnerabilities they discover to the highest bidder. WabiSabiLabi could replace the back-room, secret sites where researchers and hackers used to sell their exploits and replace them with a neat, clean way to make money by finding security flaws. Those who have seen the site say they are concerned about how the buyers will be vetted, and how the marketplace will ensure the flaws aren't found through illegal methods."

How do you preserve value?

[ushering05401]

The whole value of the exploit is that only a few people know it exists. How do you preserve that when you would need to divulge something of the nature of the exploit for it to be marketable?

I wonder if the people putting this on are actually looking to make a point about software vendors and their products. Any chance that they are looking to do nothing more than score some legal victories for the good of the public?

Regards.

"illegal methods" ?

The summary writer assumes that those currently exploiting flaws would not use "illegal methods" to discover them?

Sell the same 0-day several times?

[Safiire+Arrowny]

So an exploit is auctioned to the highest bidder, and then on a different account the researcher auctions the same exploit to yet another highest bidder.

Sounds good to me, but don't the buyers feel cheated? I can't see anything to stop this from happening, so it doesn't seem like much of an _auction_ to me.

Also, consequently, after you buy an exploit you could auction it off to a bunch of other people and potentially make all your money back and more.

I don't really see how the auction format can support non-tangible items, is all I'm saying.

Had this type of subject come up in class

[bryan1945]

It was an InfoSec class in a Masters program.

Question- what do you do if you come upon a security hole?
Answer- ?

Case in point, some grad student in physics accidentally came across a vulnerability in the engineering dept's site. He reported it to his adviser the same day. (Yes, it was all proven). Adviser told the engineering dept., they fixed it, high fives all around. About a year later, the psych dept. gets broken into with a quasi-semi like exploit. Who does the uni and cops go straight after as a suspect? Yup, the kid who turned in the engineering vulnerability. Eventually was cleared, but how great is it to be a "Good Samaritan"?

So now you are student who comes across a commercial exploit. Now what? Auction is off for some moohla, let the company know, sit tight? If you auction it off and don't get sued by the company, does the school have a right to kick you out due to "unethical behavior"? If you let the company know, what kind of exposure do you have then? Can they accuse of being a hacker? If something similar in the future happens, can they come back to you? If you're a fan (or fanboy) of the company and sit tight, and later it gets hit by the same exploit, how is your conscience?

Now ramp the whole thing up to be a person in the commercial field. Tell your boss, etc.?

Now ramp it up to government level. Tell.... ? (underpant gnomes- had to fit that in somewhere)

Now ramp it up to classified level. Wait... nah, you cool as long as you tell your boss so -they- can exploit it.

As an individual at home, you'll probably be fine as long as you don't use the exploit to your advantage, and if you report it to a security site or the company I would think you would be fine.

Personally, I wouldn't touch this site with a 6 foot pole.