Security Marketplace Called ”eBay for Vulnerabilities”

Psst. Want to buy a zero-day?

A Swiss startup called WabiSabiLabi has some for sale, but to qualified buyers only.

Last week, the company launched a security vulnerability marketplace, where details on unpatched software flaws can be bought and sold. By Thursday, the site was offering details on four bugs in products such as the Linux kernel and Yahoo Messenger. No bids had yet been registered, and asking prices for the research ranged between 500 euros (US$681) and 2,000 euros.

A zero-day vulnerability is a previously undisclosed bug that has not been fixed by the vendor.

WabiSabiLabi argues that the computer industry’s ethical disclosure policies have led to a raw deal for security researchers, who typically are not paid for disclosing vulnerabilities. “Nobody in the pharmaceutical industry is blackmailing researchers (or the companies that are financing the research), to force them to release the results for free under an ethical disclosure policy,” the WabiSabiLabi website states. Representatives from WabiSabiLabi could not immediately be reached for comment.

The company bills its marketplace as a way for “security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell them to cyber-criminals.”

But to David Perry at Trend Micro, it looks like something else. “It’s going to be eBay for vulnerabilities,” he said.

Although WabiSabiLabi says it will sell details only to legitimate buyers, Perry is concerned that the site could be used to put dangerous information into the hands of criminals. “We’re looking at the potential of cyberwarfare coming up,” said Perry, who is Trend Micro’s global director of education. “Now we’re going to peddle vulnerabilities in a winner-takes-all auction. How do we know who’s good and who’s bad when we do this?”

Security researcher Cesar Cerrudo said that while it’s uncommon for researchers to go underground to sell their vulnerabilities, it does happen. “Researchers will try to get money in the easier and faster way, and sometimes that can only be done in the black market,” said Cerrudo, CEO of Argeniss Information Security.

WabiSabiLabi is run by Herman Zampariolo, formerly CEO of Italian networking vendor iLight. It lists Roberto Preatoni, founder of the Zone-h.org cyber-defacement website, as its strategic director.

Like eBay, WabiSabiLabi offers sellers a variety of options. Research can be offered at a fixed price, sold at auction, or sold to a number of different buyers in what is known as a Dutch auction.

WabiSabiLabi will test the research to make sure the vulnerabilities operate as advertised, and the company will also vouch for the sellers and buyers, who can remain anonymous and trade under nicknames.

Companies such as 3Com’s TippingPoint division and VeriSign’s iDefense Labs have offered cash for this type of research before, but this is the first time that such an open marketplace has been created, Perry said.

Argeniss’s Cerrudo doesn’t share Perry’s fear of the vulnerabilities being misused. “This is already happening in the underground,” he said, “but with a public service like this, I think things are a little clearer.”

—Robert McMillan, IDG News Service (San Francisco Bureau)