Claiming that security researchers are dissatisfied with current remuneration—white-hat chump change or the potential of black-hat broken kneecaps—a Swiss company has launched the first non-black-market auction site for zero-day vulnerabilities.
The eBay-like bug market, called Wabisabilabi, launched July 3. Security researchers and vulnerability brokers like the concept of selling vulnerabilities for fair market price just fine, but they also say the auction site has some serious flaws: lack of transparency (just who, exactly, is running this thing?); lack of ethics in selling vulnerabilities as opposed to just getting vendors to fix their products ASAP and thereby getting users protected ASAP; and lastly, the fact that you cant reveal details about a vulnerability without tipping off researchers on how to find it.
That, in fact, has already happened with one of Wabisabilabis items, a command-execution PoC (proof of concept) for a vulnerability in Squirrelmail GPG Plugin that researchers believe they nailed after a mere 10 minutes of pondering the code and the flaw description.
Thus far, the auction sites listings page contains four flaws up for bid: a PoC for a local Linux kernel memory leak, not remotely exploitable, with one bid, now going for 600€; the vulnerability in Squirrelmail GPG Plugin, also up to 600€ in spite of having likely been uncovered elsewhere; a remotely exploitable SQL Injection vulnerability in MKPortal for which nobodys bidding; and the pièce de résistance: a PoC for a gleaming, zero-day, Yahoo Messenger 8.1 remote buffer overflow on Windows XP, remotely exploitable by—get this—any user in the victims address book (although some interaction from the victim is required).
Arbitrary code execution possible but non-trivial.
All for a paltry minimum bid of 2,000€.
Actually, compared with prices reportedly paid by vulnerability brokers or on the black market, 2,000€—thats $2,725.30 in U.S. dollars—is paltry. Open-source software maker The Mozilla Foundation may only reward security researchers with $500 and a T-shirt for a reported flaw, but black-market prices reportedly range into six digits.
H.D. Moore, founder of the Metasploit Project, has been offered between $60,000 and $120,000 by a private buyer for each client-side vulnerability found in Internet Explorer, for example.
Granted, the marketplace is young. It could be that Wabisabilabi hasnt yet vetted many buyers or sellers. Or, as pointed out by Terri Forslof, manager of security response for 3Coms TippingPoint division, vulnerability sellers or buyers may be hesitant to give it a try, as they were when TippingPoint launched its own ZDI (Zero-Day Initiative).
Nobodys bidding at Wabisabilabi, her thinking goes, since they dont see anybody else bidding, and they have no clue how much to bid anyway. TippingPoints ZDI buys vulnerabilities from researchers, notifies the affected product vendor, and protects its own customers from zero days through its intrusion prevention technology.
And yet the idea behind Wabisabilabi is to get security researchers a fair price for their findings and “ensure that they will no longer be forced to give them away for free or sell them to cyber-criminals,” according to the companys launch press release.
“We strongly believe … researchers [who are] … doing their job and researching security … these guys need to be brought into legitimate revenue with legitimate reward for what theyre doing,” said Herman Zampariolo, CEO of WSLabi, in an interview with eWEEK.
“Theyre between the [frying] pan and the fire. … We all know theres a fraction of them that are black hat. But an astonishing majority are just looking to make a reward for what theyre discovering. Legally, technologically, weve been doing research for how can we reward these people. Think of pharmaceuticals. … You develop your own intellectual property, sell it, theres no problem.”
Wabisabilabis name combines the Japanese word “Wabisabi,” made up of the words wabi and sabi that together represent an aesthetic of imperfect, impermanent or incomplete beauty, with the German word for laboratory: Labi.
The new company is notable only for brokering vulnerabilities via an auction format. WSLabi pledges to verify vulnerability research by analyzing and replicating it in its independent labs and to then package it up with a PoC that will be sold on the marketplace via one of three ways: an auction with a predefined starting price; a sale to as many buyers as possible at a fixed price; or an exclusive sale to one buyer.
That may indeed sound good to researchers who are tired of pouring umpteen hours of work into research only to hand over their findings to product vendors for free, which is the white-hat approach to security research, wherein virtue and fame constitute a researchers reward.
In theory, the open market should benefit researchers interested in fair remuneration. In practice, though, Wabisabilabi has already proved that a cat out of the bag isnt worth bubkus.
When Disclosure Works Against
Charlie Miller, a consultant for Independent Security Evaluators, in Baltimore, Md., is one of those security researchers who want to be reimbursed for their time. After finding a bug in the open-source application Samba in 2005, he tried to sell it to the usual suspects: the security firms who would have lost out if attackers had exploited the weakness.
The problem Miller found was that he had no idea what the Samba flaw was worth. He eventually wound up selling the bug in 2006 to a U.S. government contractor for a respectable $50,000, but even now hes not sure he got a fair price.
What Miller does know is that the longer he waited, the less value the vulnerability would have, given the likelihood that it would be discovered elsewhere or even patched by Samba.
Would an auction site have gotten Miller a better price? Thats the ultimate question, he said.
“In theory, it would seem that the open market would benefit me,” he said in an e-mail exchange with eWEEK. “However, I know some buyers would not use the site, limiting the potential bidders.”
For example, with his Samba exploit, Miller wanted to offer it to iDefense and TippingPoint to see what they would offer, “just out of curiosity,” he said. The ultimate buyer told him that if he did contact the vulnerability brokers, it would reduce the value of his finding, since more people would know about it.
Wabisabilabi is the perfect example of how disclosure can work against a security researcher. Its epitomized in what has happened since the auction site first listed the flaw for the GPG plugin to Squirrelmail Version 2.0. Even though the site gave scant details to describe the vulnerability, namely that it is a command injection, the information was specific enough to Miller and other researchers that theyve been able to determine what the bug most likely is.
“Looking at [the flaw and its potential location in Squirrelmail code] for 10 minutes, it looks like the exec in gpg_sign_attachment() where shell meta characters are in $passphrase,” Miller wrote on the Daily Dave blog. “The MKPortal one looks pretty easy to find too. Its nice for someone to point these bugs out so we can go look for them!”
In fact, the GPG plugin in the last day or two released a new version, 2.1, Miller pointed out, which likely spoiled the Wabisabilabi auction for the item. “They get $0 now but may have gotten a couple hundred bucks from TippingPoint,” Miller said in his interview with eWEEK.
Zampariolo admits that Wabisabilabi is always going to be vulnerable to having researchers work out vulnerabilities on their own, based on the information the auction site provides. “Were always in the middle,” he said. “Were always sure [well] make some mistakes. Sometimes [well] publish so much that somebody in the field can discover [the vulnerability details] and go ahead [and publish them].”
Wabisabilabi is counting on some level of laziness to float its business. Some amount of researchers will be either too lazy or simply unable to figure out the flaw details from the details listed on the auction site. “If you want the Squirrelmail vulnerability, youre spending 500 bucks. If youre very smart [and figure it out on your own], OK, I will cheer to that,” he said. “Were between the fire and the frying pan.”
At any rate, Dave Aitel, founder of Immunity, agrees that its hard to value a vulnerability or exploit without seeing it. “Its hard to even know if there is a vulnerability without testing an exploit, which makes this sort of model really hard,” he said in an e-mail exchange. “Immunity relies on getting familiar with our suppliers so we dont have to pre-vet everything.”
Besides, Aitel said, the timing can be tricky with vulnerability purchases. “How do buyers know that the vulnerability wasnt sold to someone else immediately before going onto the auction site? Obviously they dont, which is going to lower the value of any bug sold,” he said.
The auction mechanism is therefore useful for low-value bugs, Aitel said, but not as useful for anything of higher value. Besides, he said, Wabisabilabis prices are “way too high” for low-value vulnerabilities, which is why no one is currently bidding, he said.
The sticking point for TippingPoints Forslof is Wabisabilabis lack of transparency. “You dont know who the guys are, whos backing it, whos funding [the flaws],” she said in an interview with eWEEK.
The Ethics of Selling
“This seems a little more like an attempt at legitimizing the black market, where youre looking at a situation where … its not so much the sellers I would be concerned about. We deal with all sorts of sellers through our program and know which ones we shouldnt buy from, that sort of thing. But the buyers is what really concerns me. What I see is theres probably not going to be a number of software vendors, and certainly not large vendors like a Microsoft that will step in and buy their own vulnerabilities. It goes against [Microsofts] own corporate value system to do so. I see other organizations buying these vulnerabilities. … I dont see those vulnerabilities being reported to the vendor.”
Thats of particular concern when considering a flaw up for auction such as the Yahoo Messenger flaw: a remotely exploitable buffer overflow. Forslof asked, who would possibly be interested in such a vulnerability, whose primary target is end users?
“Well, its attackers,” she said. “Not security vendors so much. … It seems to be directed at the end user.”
Wabisabilabi firmly believes that a company such as Yahoo should be interested in fixing the flaw—and soon. “I would have already registered … and [bid] for the incredible value of 1,000 bucks and upgraded for every Messenger client in the world,” Zampariolo said.
Maybe, maybe not. Maybe Microsoft will nudge its partners to purchase vulnerabilities off the auction site, as Zampariolo suggests could happen. Maybe not.
At any rate, the issue of who would buy such a vulnerability also troubles Adriel Desautels, chief technology officer at vulnerability broker and vulnerability assessment and penetration testing firm Netragard.
“[Wabisabilabi] looks very much like an eBay auction site,” Desautels said in an interview with eWEEK. “Imagine if they auctioned off vulnerabilities that enabled somebody to penetrate a whole slew of Windows operating systems. If a person says, Ive got this nice new zero day now and Im going to write a worm, and it takes systems down, and the government goes to research this, theyll say, Who is the person who discovered this? or How did they get this technology? Theyll go back to the lab and see who sold [the buyer] this [vulnerability]. … When youre auctioning cyber weaponry capable of doing serious damage to cyber infrastructures, youre going to get shut down very fast.”
In fact, Desautels wont do business with any organization or government outside of the United States, due to liability.
“The reason why I [stay only with U.S.-based organizations] is for no other reason than I think you are a whole lot less exposed if you keep these things in your own territory,” he said. “I would never sell an exploit to an individual. If you deal with businesses in the United States, theyre bound by your jurisdiction, by U.S. law.”
Wabisabilabis Zampariolo defends the companys vetting process. It goes like this: A buyer needs to register by providing a slew of documents to the auction site, including proof of identity such as a passport photocopy. Wabisabilabi then needs information proving the companys registration (Wabisabilabi, like other flaw brokers, wont deal with individual buyers).
Beyond that, Wabisabilabi requires a physical means of communication, such as a land-line phone number thats registered to the company thats registering as a buyer. And last but not least, he said, anonymity on the part of buyers is forbidden.
Whether or not such a vetting process will satisfy the ethics of security researchers remains to be seen and depends greatly on where a given researcher falls on the scale of white-gray-black hat.
At the same time, the ethics of selling vulnerabilities as opposed to getting them into the hands of vendors simply appalls many. A contributor to Bugtraq named Radoslav Dejanovi put it this way:
“As [news articles about Wabisabilabi] did not let the reader know of an alternative (a place such as this one, where people give away their knowledge of vulnerabilities for free), theres no reason not to conclude that finding bugs in code is a great way to earn money. Talk about the message to the little kids.”
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.