Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • IT Management
    • Networking

    E-Bay of Zero-Day Bugs Plans Expansion

    Written by

    Brian Prince
    Published October 12, 2007
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      WabiSabiLabi made a bit of a scene when officials there announced they created a marketplace for security researchers to hawk their findings to the highest bidder.

      Roughly two months after its creation, company officials are touting what they say is the success of their marketplace, which has had some 160,000 unique visitors, and is looking to expand.

      “We are just about to launch side services derived from the expertise obtained with the marketplace,” said Roberto Preatoni, the companys strategic director. “We are planning to launch a range of editorial and security services, including a brand new Intrusion Detection/Prevention system based on zero-day signatures. Partnerships with other security players have been signed and will be announced soon.”

      But for all the companys proclamations, not everyone in the security field buys into the approach WabiSabiLabi—has or WSLabi for short—has taken.

      “Im not a big fan of the idea,” said Jon Oltsik, an analyst with Enterprise Strategy Group. “Researchers generally spend time in this area for altruistic or academic reasons. This model turns it into a flea market mentality. Imagine if medical researchers could sell their work to the highest bidder on an auction web site. This would be a regulatory nightmare… (theres) too much room for abuse.”

      Preatoni sees things very differently.

      “WabiSabiLabi doesnt encourage people to sell exploits and vulnerabilities,” he said. “Instead we provide a marketplace that can be used by security researchers to place their findings in return for a legitimate reward, Preatoni said.

      To read about the zero-day solution, click here.

      “No exploits are traded through the platform. Winning bidders in fact, will obtain a fully detailed security research, possibly in a bundle with a proof of concept code, whose scope is to prove the vulnerability but that wouldnt be useful for not legitimate purposes,” He said.

      Officials at the Switzerland-based company are quite pleased with the growth of the marketplace, noting more than 150 vulnerabilities have been submitted. Not all vulnerabilities make it onto the marketplace. To date 40 have been rejected because they were uncovered through illegal methods such as reverse engineering protected software, according to the company.

      WSLabi accepts only vulnerabilities that are not related to software or hardware tailor-made for a specific company, organization or government department, and the research has to be previously unpublished.

      So far, Microsoft Windows has been the source of more vulnerabilities—51 —than anything else. The bugs have gone for as few as 100 euros to as many as 15,000.

      All parties, buyers and sellers, have to identify themselves to WSLabi, and each buyer and seller has a nickname that they trade under to protect their identity. The auction site only contains the nicknames of the sellers along with an overview of the vulnerability. The buyer has to purchase the research to obtain full details of vulnerabilities.

      “We do have full vetting procedures in place,” Preatoni said. “In fact, we have already rejected potential buyers who failed to go through such procedures…(including) full identity verification as well as bank account verification,” he said.

      Read more here about about an attempt by hackers to sell a Vista zero-day exploit.

      WSLabi currently has more than 1,000 registered sellers (researchers). Just two-thirds of the applications WSLabi has received to access the marketplace have survived the vetting process, which includes providing adequate documentation and proof of identification.

      David Aitel, CTO and founder of Immunity, said while the site appears to be useful for those who have sold bugs—assuming they got paid—there is a fly in the ointment.

      “An extraordinarily large amount of these bugs have been found and posted publicly before the auctions have ended, rendering them valueless,” he said.

      And there is the issue of pricing a vulnerability; deciding just how much that zero-day bug is worth.

      “I dont see an easy way around the problem of valuing vulnerabilities other than a trusted third party testing and verifying them, which is a lot of work—work someone would have to get paid for,” he said.

      WSLabi officials said the company does verify the research submitted through its own independent testing laboratories and packages the with a proof of concept, and the company tries to help researchers design the best business model – selling strategies and starting prices for example—to maximize the value of their findings.

      Still, Oltsik has his reservations.

      “There are some things that shouldnt be monetized and security research is one in my humble opinion,” he said. “Its a small community where everyone knows everyone else so I dont think it is necessary either.”

      Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.

      Brian Prince
      Brian Prince

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×