[Infowarrior] - Vulnerability auction launches online

Richard Forno rforno at infowarrior.org
Sat Jul 7 01:27:22 UTC 2007 

Vulnerability auction launches online
Published: 2007-07-06

http://www.securityfocus.com/brief/542?ref=rss

A group of security professionals launched this week what they hope will
become the eBay of security research.

The Swiss-registered company, WSLabi, boasts that its online portal will
allow researchers to sell vulnerabilities they have discovered to software
companies and other interested parties through an open market. WSLabi plans
to verify the identities and claims of both the buyer and seller. Already,
four software flaws -- including a Linux memory leak and a flaw in Yahoo!
Messenger 8.1 -- are listed on the site and more than 200 people have
registered, according to the firm.

The security professionals launched the service to allow researchers to get
a fair price for their discoveries and prevent exploits from being sold to
cybercriminals, said CEO Herman Zampariolo.

"Different security companies, such as iDefense and TippingPoint, are
already acting as intermediaries," Zampariolo told SecurityFocus in an
interview on Friday. "The only difference is the business model."

The sale of vulnerabilities has been a contentious topic, which has received
legitimacy only in the past two years due to flaw bounty programs such as
TippingPoint's Zero-Day Initiative (ZDI) and iDefense's Vulnerability
Contributor Program (VCP). While security researchers have seen some large
payoffs from selling vulnerability information to government agencies, for
the most part, the closed market for security research favors the buyers.
TippingPoint and iDefense typically pay anywhere from $1,000 to $15,000 for
vulnerability information, such as the recent QuickTime vulnerability used
at the CanSecWest Conference to win the Own to Pwn MacBook contest.

Previous attempts at selling vulnerability information on eBay have been
quickly taken down, despite many researchers' beliefs that such sales could
help security.

The team behind WSLabi includes CTO Giacomo Paoni, a former
information-technology consultant, and Strategic Director Roberto Preatoni,
better known as the founder of defacement database and security site
Zone-h.org.

More information about the Infowarrior mailing list