Security exchange trades zero-day flaws

Swiss laboratory launches marketplace for security research

By Robert Jaques

July 5, 2007

http://www.vnunet.com/vnunet/news/2193550/security-exchange-trades-zero

A vendor-independent Swiss laboratory is aiming to allow hackers and security specialists to sell vulnerability data to security vendors and software companies.

WSLabi claims that its offering is the first zero-day vulnerability security research exchange.

Herman Zampariolo, chief executive at WSLabi, said: "We set up this portal for selling security research because, although there are many researchers out there who discover vulnerabilities, very few are able or willing to report it to the 'right' people due to the fear of it being exploited."

Zampariolo added that, although researchers had analysed around 7,000 publicly disclosed vulnerabilities last year, the number of new vulnerabilities found in code could be as high as 139,362 a year.

"Our intention is that the marketplace facility on WSLabi will enable security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell them to cyber-criminals," he said.

Researchers can submit their findings to the exchange once they have registered. WSLabi will then verify the research by analysing and replicating it at their independent testing laboratories.

WSLabi will then package the findings with a proof of concept, which can then be sold to the marketplace.

Roberto Preatoni, strategic director at WSLabi, said: "Before we have even launched the marketplace there are already three new vulnerabilities available from security researchers.

"The vulnerability research is associated with Linux, Yahoo Messenger and SquirrelMail.

"This shows that this venture is filling a gap within the security research market, a place where security researchers are confident that they will get the right value for their findings."

Researchers and buyers will have to identify themselves to WSLabi to ensure that they are legitimate.

Researchers cannot submit security research material which comes from an illegal source or activity.

Buyers will be carefully vetted before being granted access to the auction platform so that the risk of selling the 'right stuff' to the 'wrong people' is minimised.

The marketplace will be free to use for the first six months for researchers and buyers.

Even though all parties will have to identify themselves to WSLabi, no personal information will be disclosed or held in the public domain. Each buyer and seller will have a nickname under which they will trade.

The exchange also aims to compile a global database of "every piece of IT security research ever found". [an error occurred while processing this directive]