Public exploit auction a bad idea

A Swiss company has launched WSLabi, the first public market place for security exploits.

Researchers can sell or auction off their exploits on the website. The company will certify the flaw and provide a proof of concept, offering buyers the assurance that they are getting the real thing.

The initiative will allow a larger number of vulnerabilities to get disclosed. Chief executive Harman Zampariolo claims that last year as many as 139,362 flaws were discovered, but only 7,000 were publicly disclosed. He fails to explain where he came up with such an exact number.

05 Jul 2007

The site currently offers 4 exploits with prices ranging from 500 to 2,000 Euro.

Paying for exploits isn't new. There are underground market places that continue to be well hidden from everybody, including most security researchers. Then you have bounty programmes from security vendors such as TippingPoint and software developers such as Mozilla.

An open market place has the obvious risk of attracting criminals. WSLabi may verify the identification of its buyers and sellers, but in the world of online fraud, fake identities are easy to come by.

Secondly, the security sector still believes overwhelmingly that researchers shouldn't be paid for exploit information. Instead they are credited, establishing them as capable pundits. Their reputation will then providing them jobs with firms that hope to prevent painful security disclosures.

Thirdly, the public doesn't benefit from this service. A small scale open source project is unlikely to pay up, and big firms such as Microsoft has so far refused to do so on principle. That means that security providers will likely end up with the information, which they can then use to build and independent patch or provide protection in their security software.

Independent patches are a bad idea because typically they are poorly tested. And having to rely on third party security software comes awfully close to paying the mafia for protection.

WSLabi aims to solve a problem of security researchers not getting paid, or not getting paid enough. This is largely a perceived problem, and that it seems to create a slew of new issues.

Permalink

Do you agree?

Add your comment

Just commenting your article point by point here: "An open market place has the obvious risk of attracting criminals. WSLabi may verify the identification of its buyers and sellers, but in the world of online fraud, fake identities are easy to come by." False: the criminals donn't need to come and buy from that marketplace, they already have their own channels. "Secondly, the security sector still believes overwhelmingly that researchers shouldn't be paid for exploit information. Instead they are credited, establishing them as capable pundits. Their reputation will then providing them jobs with firms that hope to prevent painful security disclosures." That's the problem: the security sector still want to exploit researcehr's job for free. I think this initiative is just great in that view. "Thirdly, the public doesn't benefit from this service." Wrong, just by watching the marketplace and seeing the listed items, the general public gets a much more precise idea of what is going on in the 0day world thus being warned when before they weren't "A small scale open source project is unlikely to pay up, and big firms such as Microsoft has so far refused to do so on principle. That means that security providers will likely end up with the information, which they can then use to build and independent patch or provide protection in their security software." Wrong, open source software vulenrabilities might be purchased by security company whom might want to render services to their clients. You are wrong when assuming that the legitimate buyers from that marketplace would be only the software producers. "Independent patches are a bad idea because typically they are poorly tested. And having to rely on third party security software comes awfully close to paying the mafia for protection." That's a silly statement, pretty much the same than saying that your car insurance policy is like paying to the mafia.

Posted by: john 07 Jul 2007

Add your comment

Your name:
Your email address:	We won't publish your address
Your comment title:
Your comment:	By submitting a comment you agree to abide by our Terms & Conditions. Your comment will be moderated before publication.