Bug Brokers: eBay-like Bug Site Doomed

News Analysis: The key problem with eBay-like auction site Wabisabilabi is that you can't reveal details about a vulnerability without tipping off researchers on how to find it.

Claiming that security researchers are dissatisfied with current remuneration—white-hat chump change or the potential of black-hat broken kneecaps—a Swiss company has launched the first non-black-market auction site for zero-day vulnerabilities.

The eBay-like bug market, called Wabisabilabi, launched July 3. Security researchers and vulnerability brokers like the concept of selling vulnerabilities for fair market price just fine, but they also say the auction site has some serious flaws: lack of transparency (just who, exactly, is running this thing?); lack of ethics in selling vulnerabilities as opposed to just getting vendors to fix their products ASAP and thereby getting users protected ASAP; and lastly, the fact that you cant reveal details about a vulnerability without tipping off researchers on how to find it.

That, in fact, has already happened with one of Wabisabilabis items, a command-execution PoC (proof of concept) for a vulnerability in Squirrelmail GPG Plugin that researchers believe they nailed after a mere 10 minutes of pondering the code and the flaw description.

Thus far, the auction sites listings page contains four flaws up for bid: a PoC for a local Linux kernel memory leak, not remotely exploitable, with one bid, now going for 600€; the vulnerability in Squirrelmail GPG Plugin, also up to 600€ in spite of having likely been uncovered elsewhere; a remotely exploitable SQL Injection vulnerability in MKPortal for which nobodys bidding; and the pièce de résistance: a PoC for a gleaming, zero-day, Yahoo Messenger 8.1 remote buffer overflow on Windows XP, remotely exploitable by—get this—any user in the victims address book (although some interaction from the victim is required).

Arbitrary code execution possible but non-trivial.

All for a paltry minimum bid of 2,000€.

Actually, compared with prices reportedly paid by vulnerability brokers or on the black market, 2,000€—thats $2,725.30 in U.S. dollars—is paltry. Open-source software maker The Mozilla Foundation may only reward security researchers with $500 and a T-shirt for a reported flaw, but black-market prices reportedly range into six digits.

H.D. Moore, founder of the Metasploit Project, has been offered between $60,000 and $120,000 by a private buyer for each client-side vulnerability found in Internet Explorer, for example.

Granted, the marketplace is young. It could be that Wabisabilabi hasnt yet vetted many buyers or sellers. Or, as pointed out by Terri Forslof, manager of security response for 3Coms TippingPoint division, vulnerability sellers or buyers may be hesitant to give it a try, as they were when TippingPoint launched its own ZDI (Zero-Day Initiative).

Nobodys bidding at Wabisabilabi, her thinking goes, since they dont see anybody else bidding, and they have no clue how much to bid anyway. TippingPoints ZDI buys vulnerabilities from researchers, notifies the affected product vendor, and protects its own customers from zero days through its intrusion prevention technology.

And yet the idea behind Wabisabilabi is to get security researchers a fair price for their findings and "ensure that they will no longer be forced to give them away for free or sell them to cyber-criminals," according to the companys launch press release.

"We strongly believe … researchers [who are] … doing their job and researching security … these guys need to be brought into legitimate revenue with legitimate reward for what theyre doing," said Herman Zampariolo, CEO of WSLabi, in an interview with eWEEK.

"Theyre between the [frying] pan and the fire. … We all know theres a fraction of them that are black hat. But an astonishing majority are just looking to make a reward for what theyre discovering. Legally, technologically, weve been doing research for how can we reward these people. Think of pharmaceuticals. … You develop your own intellectual property, sell it, theres no problem."

There is nothing new in the idea of buying vulnerabilities; flaw brokers include TippingPoint, iDefense Labs, Immunity and Netragard.

Wabisabilabis name combines the Japanese word "Wabisabi," made up of the words wabi and sabi that together represent an aesthetic of imperfect, impermanent or incomplete beauty, with the German word for laboratory: Labi.

The new company is notable only for brokering vulnerabilities via an auction format. WSLabi pledges to verify vulnerability research by analyzing and replicating it in its independent labs and to then package it up with a PoC that will be sold on the marketplace via one of three ways: an auction with a predefined starting price; a sale to as many buyers as possible at a fixed price; or an exclusive sale to one buyer.

That may indeed sound good to researchers who are tired of pouring umpteen hours of work into research only to hand over their findings to product vendors for free, which is the white-hat approach to security research, wherein virtue and fame constitute a researchers reward.

In theory, the open market should benefit researchers interested in fair remuneration. In practice, though, Wabisabilabi has already proved that a cat out of the bag isnt worth bubkus.

Next Page: When disclosure works against security researchers.