An eBay For Hackers

← Back to Stories (view on slashdot.org)

Posted by kdawson on Saturday July 14, 2007 @01:15PM from the can-you-spell-zero-bay dept.

cyberdelicat writes to let us know about a Swiss security firm called WabiSabiLabi that is causing waves with its open auction for zero-day security vulnerabilities. While WSLabi claims they will thoroughly vet both buyers and sellers of vulnerabilities, many researchers are skeptical about how effectively they can do this. The Washington Post article mentions the guy who almost opened a similar auction site several years back, to be called Zero-Bay, but pulled the plug at the last minute. SearchSecutiry notes that some security researchers are now referring to WSLabi as "zerobay" as they undermine the auction site by reproducing and publishing vulnerabilities as soon as they appear for sale.

3 of 60 comments (clear)

Min score:

Reason:

Sort:

Don't let stupidity fool you by packetmon · 2007-07-14 16:06 · Score: 2, Interesting

I saw via a security mailing list ridicule at "Who the hell would buy a Yahoo messenger exploit. har har". So let's think about this for a minute... Done, how many people do you know that use Yahoo messenger at their corporate office? As obscure as some may think the site will be, all you need is some hardcore "pwning" going on, and some government will treat the site as they did Pirate Bay and shut it down quickly

--
Infiltrated dot Net
Dude, this sucks by TheModelEskimo · 2007-07-14 16:48 · Score: 3, Interesting

I posted this awesome cultural comment the last time this story was posted and nobody even replied. Now the dupe is just plowing up all those bad memories again. http://it.slashdot.org/comments.pl?sid=246095&cid= 19763499
Vulnerability Info Exchange is Good by this+great+guy · 2007-07-14 18:22 · Score: 2, Interesting
Selling information about security vulnerabilities may be considered unethical by some, but it is perfectly legal in almost all countries (notable exception: France). Don't forget that a vuln is just a bug, they are selling information about how to trigger a bug. Why would that be illegal ? If a buyer exploit the bug for nefarious purposes, then the buyer is doing something illegal, not the seller. There are plenty of legitimate cases where a market for selling vulnerabilities is a good thing:
- The developer of a vulnerable application may want to buy vulnerabilities found in his application. Financial reward is an incentive for security researchers to find more vulnerabilities in an application when they know they would get paid for it. Additionally, over time, the security of the application increases.
- Penetration testing companies can increase their chance of a successful pentest with access to new and original vulnerabilities. This prompts the client (pentest target) to secure his IT infrastructure, by rearchitecting it, or implementing new security mechanisms.
- Vulnerability assessment tools developers can gain an edge over their competitors by buying info about vulns. A legitimate security vuln market moves the VA market forward, and in the end increases the rate of discovery, and therefore the rate at which security vulns are fixed.
- The biggest argument is perhaps this one: a vulnerability sold to a legitimate buyer is often one less sold to a criminal.