NSS Labs to Open Exploit Marketplace for Security Community

NSS Labs' Exploit Hub will make exploits for known vulnerabilities available to pen testers and other buyers.

NSS Labs is planning to open an online store for security exploits.

Through the Exploit Hub, NSS Labs will allow researchers to buy and sell exploits. According to NSS Labs President Rick Moy, the initial set of buyers will be "known quantities" such as penetration-testing companies and security vendors.

"The goal is to close the capabilities gap between the cyber-criminals and white hats, by enabling defenders to perform more comprehensive testing of their defenses," Moy told eWEEK.

The company will take a 30 percent cut of the sales in exchange for testing and validating the exploits as well as promoting and managing the marketplace. The price of exploits will be driven by demand, with the researchers who submit the exploits deciding on the price tag for their work, Moy added.

"Identities and reputations of companies and individuals will be [a] key factor," Moy said. "We plan to leverage our long-standing independent position in the information security community and network of peers to vet the participants."

No zero-day vulnerabilities will be sold through the store, something that distinguishes it from marketplaces like the one previously run by WabiSabiLabi.

"In the end, the efforts required to keep a zero-day secret also work against the concept of an open marketplace," said HD Moore, chief security officer at Rapid7 and creator of Metasploit. "The NSS approach sounds like a great way for exploit developers to profit from their work and an excellent source of useful tools for penetration testers everywhere. Since they are only dealing with exploits for which vulnerability details are already available, it's less about safeguarding sensitive information and more about creating a market for exploit tools."

NSS Labs is planning a "phased release approach to vetted buyers" and is aiming to open the store in October, Moy said. Interested parties can sign up by contacting exploithub@nsslabs.com.