[Infowarrior] - Security vuln auction site pulls in research

[Richard Forno]

Security vuln auction site pulls in research
Alternative market attracts 150 listings
By John Leyden → More by this author
Published Friday 12th October 2007 20:32 GMT
http://www.theregister.co.uk/2007/10/12/wslabi_update/

A controversial marketplace for security exploits and vulnerabilities said
it has exceeded expectations with the submission of more than 150
vulnerabilities in its first two months of operations.

WabiSabiLabi encourages security researchers to sell their findings to
vetted buyers. Herman Zampariolo, chief exec of WSLabi which runs the
WabiSabiLabi marketplace, said that the quality of the submitted
vulnerabilities is as important as their quantity.

Vulnerabilities on the marketplace have had selling prices ranging between
100 to 15,000 euros each. So far 1,000 sellers (researchers) have registered
on the site.

The types of vulnerabilities that have made it on to the marketplace include
51 bugs in Windows, 19 flaws in Linux, 29 web application vulnerabilities
and two Mac-related flaws. Bugs in enterprise apps have also made an
appearance with 10 flaws in enterprise software from SAP and one IBM-related
vulnerability. Not all vulnerabilities submitted make it onto the
marketplace. So far, WabiSabiLabi has rejected 40 for reasons including the
use of "illegal methodology", such as reverse engineering on protected
software. Only previously unpublished vulnerabilities are eligible for
auction by WabiSabiLabi. In addition the Swiss firm does not accept
vulnerabilities that apply to bespoke software.

WSLabi verifies the vulnerability research submitted to it before offering
it for sale online. The firm advises researchers how best to auction their
research on its site. Only two-thirds of submitted vulnerabilities have
successfully passed through its vetting process, WSLabi reports.

"The number of vulnerabilities on the marketplace proves that WSLabi is
providing an alternative legal outlet for vulnerabilities, it is diverting
research from being used for illegal purposes and generating regular and
legitimate revenue for researchers," said security researcher and defacement
archive Zone-h co-founder Roberto Preatoni.

The launch of WSLabi marketplace marks a further evolution in the increasing
complex market for security research and vulnerability information.

Some security firms try to get an edge over their rivals by paying
independent security researchers for bugs they find, defences against which
are added to their security products and notification services, thereby
boosting their appeal. The approach was first widely applied by iDefense,
but has since been taken up by other firms including Immunity and 3Com's
TippingPoint division. Payments vary but tend to max out at around $10,000.
®