NSS Labs' Exploit Hub will make exploits for known vulnerabilities available to pen testers and other buyers.
NSS Labs is planning to open an online
store for security exploits.
Through the Exploit Hub, NSS Labs
will allow researchers to buy and sell exploits. According to NSS
Labs President Rick Moy, the initial set of buyers will be "known quantities"
such as penetration-testing companies and security vendors.
"The goal is to close the capabilities gap between the cyber-criminals
and white hats, by enabling defenders to perform more comprehensive
of their defenses," Moy told eWEEK.
The company will take a 30 percent cut of the sales in exchange for testing
and validating the exploits as well as promoting and managing the marketplace.
The price of exploits will be driven by demand, with the researchers who submit
the exploits deciding on the price tag for their work, Moy added.
"Identities and reputations of companies and individuals will be [a] key
factor," Moy said. "We plan to leverage our long-standing independent
position in the information security community and network of peers to vet the
No zero-day vulnerabilities will be sold through the store, something that
distinguishes it from marketplaces like the one previously
run by WabiSabiLabi.
"In the end, the efforts required to keep a zero-day secret also work
against the concept of an open marketplace," said HD Moore, chief security
officer at Rapid7 and creator of Metasploit. "The NSS
approach sounds like a great way for exploit developers to profit from their
work and an excellent source of useful tools for penetration testers
everywhere. Since they are only dealing with exploits for which vulnerability
details are already available, it's less about safeguarding sensitive
information and more about creating a market for exploit tools."
NSS Labs is planning a "phased
release approach to vetted buyers" and is aiming to open the store in
October, Moy said. Interested parties can sign up by contacting firstname.lastname@example.org.