The Ethics of Selling
Vulnerabilities"> "This seems a little more like an attempt at legitimizing the black market, where youre looking at a situation where its not so much the sellers I would be concerned about. We deal with all sorts of sellers through our program and know which ones we shouldnt buy from, that sort of thing. But the buyers is what really concerns me. What I see is theres probably not going to be a number of software vendors, and certainly not large vendors like a Microsoft that will step in and buy their own vulnerabilities. It goes against [Microsofts] own corporate value system to do so. I see other organizations buying these vulnerabilities. I dont see those vulnerabilities being reported to the vendor." Thats of particular concern when considering a flaw up for auction such as the Yahoo Messenger flaw: a remotely exploitable buffer overflow. Forslof asked, who would possibly be interested in such a vulnerability, whose primary target is end users?Wabisabilabi firmly believes that a company such as Yahoo should be interested in fixing the flawand soon. "I would have already registered and [bid] for the incredible value of 1,000 bucks and upgraded for every Messenger client in the world," Zampariolo said. Maybe, maybe not. Maybe Microsoft will nudge its partners to purchase vulnerabilities off the auction site, as Zampariolo suggests could happen. Maybe not. At any rate, the issue of who would buy such a vulnerability also troubles Adriel Desautels, chief technology officer at vulnerability broker and vulnerability assessment and penetration testing firm Netragard. "[Wabisabilabi] looks very much like an eBay auction site," Desautels said in an interview with eWEEK. "Imagine if they auctioned off vulnerabilities that enabled somebody to penetrate a whole slew of Windows operating systems. If a person says, Ive got this nice new zero day now and Im going to write a worm, and it takes systems down, and the government goes to research this, theyll say, Who is the person who discovered this? or How did they get this technology? Theyll go back to the lab and see who sold [the buyer] this [vulnerability]. When youre auctioning cyber weaponry capable of doing serious damage to cyber infrastructures, youre going to get shut down very fast." In fact, Desautels wont do business with any organization or government outside of the United States, due to liability. "The reason why I [stay only with U.S.-based organizations] is for no other reason than I think you are a whole lot less exposed if you keep these things in your own territory," he said. "I would never sell an exploit to an individual. If you deal with businesses in the United States, theyre bound by your jurisdiction, by U.S. law." Wabisabilabis Zampariolo defends the companys vetting process. It goes like this: A buyer needs to register by providing a slew of documents to the auction site, including proof of identity such as a passport photocopy. Wabisabilabi then needs information proving the companys registration (Wabisabilabi, like other flaw brokers, wont deal with individual buyers). Beyond that, Wabisabilabi requires a physical means of communication, such as a land-line phone number thats registered to the company thats registering as a buyer. And last but not least, he said, anonymity on the part of buyers is forbidden. Whether or not such a vetting process will satisfy the ethics of security researchers remains to be seen and depends greatly on where a given researcher falls on the scale of white-gray-black hat. At the same time, the ethics of selling vulnerabilities as opposed to getting them into the hands of vendors simply appalls many. A contributor to Bugtraq named Radoslav Dejanovi put it this way: "As [news articles about Wabisabilabi] did not let the reader know of an alternative (a place such as this one, where people give away their knowledge of vulnerabilities for free), theres no reason not to conclude that finding bugs in code is a great way to earn money. Talk about the message to the little kids."
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
"Well, its attackers," she said. "Not security vendors so much. It seems to be directed at the end user."