The recent news that aSwiss start-up has begun selling vulnerability information
on an eBay-style sitehad an air of
inevitability about it. The only real question was why it took so
long for someone to get this idea off the ground.
Things have been pointing this way for some time now.
Researchers, crackers and others who spend significant amounts of
time disassembling software code have been selling vulnerability
data to the highest bidder in private auctions for decades. Even
government agencies have gotten in on the bidding in some cases.
More recently, organisations such as TippingPoint's Zero Day
Initiative and VeriSign's iDefense unit have been paying for
unpublished vulnerabilities for several years. Both companies have
taken a lot of heat from researchers and software vendors for their
tactics, but the complaints haven't slowed down the flood of
submissions.
Now we have
WabiSabiLabi,
the vulnerability auction site launched earlier this month with
a handful of bugs for sale. Aside from the genesis of the
unfortunate name, there are two main questions that arise right
away after taking a look at the site: Is this a viable business
model? And, Should researchers be selling their findings to the
highest bidder?
Let's address the more interesting of these first. Debates on
the ethics of
vulnerability disclosure, how much information to reveal, when
to do it and how much time to give the vendor to patch have been
raging for years. Leaving aside the question of full disclosure for
the purposes of this discussion, the issue boils down to whether
researchers have the right to do whatever they wish with the
vulnerabilities they find. The answer is a qualified yes.
Researchers doing original work on their own time should have the
ability to do what they choose with the results of their work,
within reason. No one is suggesting that people should be selling
fully weaponised exploits to spam gangs or foreign governments. But
selling details of a new vulnerability to an organisation planning
to use it for penetration testing or to disclose it to the vendor
is just a logical outgrowth of the free enterprise system.
Or at least that's how it would work in a perfect world. But,
despite assurances from the folks behind WSLabi and similar
programs, there's no practical way to guarantee that the buyer of a
particular vulnerability won't simply turn around and resell it or
hand the details over to someone with less-than-pure intentions. So
far this hasn't been an issue, but if there is enough money at
stake, nothing is out of the question.
The money part of the equation is one reason that this
full-disclosure discussion is still ongoing after so many years.
The opportunities for researchers to make a living wage from their
work have been few and far between until quite recently, when
software vendors and consulting firms began hiring them in droves.
Before that, researchers could either quietly disclose their
vulnerabilities to the vendors and hope that the companies were
nice enough to mention them in their advisories, or they could post
the details to a mailing list or Web site. Many researchers took
the latter route and in the process built up enough of a name for
themselves that they were able to either start their own consulting
companies or get hired on at one of the vendors. So it's difficult
to fault the researchers who have found willing trading partners in
ZDI, WSLabi and others.
The question of whether this auction model will ultimately be a
successful one is more straightforward. The only way that the
vulnerabilities sold on WSLabi—or to the ZDI or iDefense—have any
value is if they're unknown to the vendor and user community at the
time of their sale and for some reasonable period of time
thereafter. Already it's fairly obvious that the vulnerabilities on
WSLabi don't meet this criterion. One of the items up for sale is a
proof-of-concept exploit for a
locally
exploitable flaw in the Linux kernel , a vulnerability that
already has a CVE number assigned to it and has been public for
several months.
Worse, as
Matasano's Dave Goldsmith points out, the
auction listings for some of the items give away enough details
that a skilled attacker could reverse-engineer the vulnerability
without much trouble. That doesn't leave a lot of value for the
potential buyer. It's difficult to see how WSLabi will be able
to make a go of it this way.
But regardless of whether this particular effort succeeds, it's
clear that the days of researchers giving away their work for free
are long gone. It's now simply a question of who ponies up the most
money.