E-Bay of Zero-Day Bugs Plans Expansion

WabiSabiLabi officials say they want to move beyond serving as a marketplace for zero-day flaws.

WabiSabiLabi made a bit of a scene when officials there announced they created a marketplace for security researchers to hawk their findings to the highest bidder.

Roughly two months after its creation, company officials are touting what they say is the success of their marketplace, which has had some 160,000 unique visitors, and is looking to expand.

"We are just about to launch side services derived from the expertise obtained with the marketplace," said Roberto Preatoni, the companys strategic director. "We are planning to launch a range of editorial and security services, including a brand new Intrusion Detection/Prevention system based on zero-day signatures. Partnerships with other security players have been signed and will be announced soon."

But for all the companys proclamations, not everyone in the security field buys into the approach WabiSabiLabi—has or WSLabi for short—has taken.

"Im not a big fan of the idea," said Jon Oltsik, an analyst with Enterprise Strategy Group. "Researchers generally spend time in this area for altruistic or academic reasons. This model turns it into a flea market mentality. Imagine if medical researchers could sell their work to the highest bidder on an auction web site. This would be a regulatory nightmare… (theres) too much room for abuse."

Preatoni sees things very differently.

"WabiSabiLabi doesnt encourage people to sell exploits and vulnerabilities," he said. "Instead we provide a marketplace that can be used by security researchers to place their findings in return for a legitimate reward, Preatoni said.


To read about the zero-day solution, click here.

"No exploits are traded through the platform. Winning bidders in fact, will obtain a fully detailed security research, possibly in a bundle with a proof of concept code, whose scope is to prove the vulnerability but that wouldnt be useful for not legitimate purposes," He said.

Officials at the Switzerland-based company are quite pleased with the growth of the marketplace, noting more than 150 vulnerabilities have been submitted. Not all vulnerabilities make it onto the marketplace. To date 40 have been rejected because they were uncovered through illegal methods such as reverse engineering protected software, according to the company.

WSLabi accepts only vulnerabilities that are not related to software or hardware tailor-made for a specific company, organization or government department, and the research has to be previously unpublished.

So far, Microsoft Windows has been the source of more vulnerabilities—51 —than anything else. The bugs have gone for as few as 100 euros to as many as 15,000.

All parties, buyers and sellers, have to identify themselves to WSLabi, and each buyer and seller has a nickname that they trade under to protect their identity. The auction site only contains the nicknames of the sellers along with an overview of the vulnerability. The buyer has to purchase the research to obtain full details of vulnerabilities.

"We do have full vetting procedures in place," Preatoni said. "In fact, we have already rejected potential buyers who failed to go through such procedures…(including) full identity verification as well as bank account verification," he said.


Read more here about about an attempt by hackers to sell a Vista zero-day exploit.

WSLabi currently has more than 1,000 registered sellers (researchers). Just two-thirds of the applications WSLabi has received to access the marketplace have survived the vetting process, which includes providing adequate documentation and proof of identification.

David Aitel, CTO and founder of Immunity, said while the site appears to be useful for those who have sold bugs—assuming they got paid—there is a fly in the ointment.

"An extraordinarily large amount of these bugs have been found and posted publicly before the auctions have ended, rendering them valueless," he said.

And there is the issue of pricing a vulnerability; deciding just how much that zero-day bug is worth.

"I dont see an easy way around the problem of valuing vulnerabilities other than a trusted third party testing and verifying them, which is a lot of work—work someone would have to get paid for," he said.

WSLabi officials said the company does verify the research submitted through its own independent testing laboratories and packages the with a proof of concept, and the company tries to help researchers design the best business model - selling strategies and starting prices for example—to maximize the value of their findings.

Still, Oltsik has his reservations.

"There are some things that shouldnt be monetized and security research is one in my humble opinion," he said. "Its a small community where everyone knows everyone else so I dont think it is necessary either."

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.