The creators of
WabiSabiLabi, a new eBay-like
marketplace for zero-day flaws, say their cause is noble. But as
far as some IT security pros are concerned such endeavours make
their jobs difficult.
Ernie Hayden, the CISO of the Port of Seattle, said the site is
a money making venture that will only make it easier for attack
code to fall into sinister hands.
"When I heard about WabiSabi, my first thought was that they
can't be serious," Hayden said. "I'll bet you this helps the
criminals because it gives them one more reference in the
marketplace. It hurts the industry by making flaws more
transparent, and it's one more way of saying the security industry
is broken."
WabiSabiLabi CEO Herman Zampariolo said the portal was
established to sell security research because few researchers are
able or willing to report their findings to the right people out of
fear of being exploited. He said tough measures are in place to
ensure researchers and buyers are legitimate and that their
intentions are geared toward better security rather than malicious
deeds.
But Hayden and other security pros have no confidence in the
WabiSabiLabi screening process. It's very difficult to weed out a
bad seed if they are anonymous, Hayden said, noting that eBay has
had its problems with people taking advantage of the process.
"How can you possibly prove someone is as
trustworthy and legitimate as they say they are?" he asked.
"Let's say I'm ticked at Adobe. I can start putting a bunch of
stuff on this site and it may not be accurate, but Adobe still has
to respond and their reputation can be hurt by it."
When a flaw is discovered, Hayden said the only responsible
action is to report it to the vendor.
"It's not OK to release flaw details if a vendor hasn't fixed it
after a certain period of time," he said.
This isn't the first time that a company sought to make money by
making flaws available for a price, though it does appear to be the
first instance where an open marketplace has been established for
it. VeriSign Inc.'s iDefense Labs and 3Com Corp.'s Tipping Point
division both offer payment for vulnerability research, and some
see them as examples of irresponsible disclosure.
Critics of
iDefense's Vulnerability Contributor Program
(VCP), for example, have argued it's nearly impossible to
verify the identity of hackers peddling their wares, especially
if they want to remain anonymous. They also believe there's no
way to control information once it's released to a third
party.
Edward Ziots, a network engineer for a health organization in
New England, said it may be useful for organizations to acquire
flaw details, especially if a company is using it as part of its
own penetration testing. But WabiSabiLabi looks too much like a
black market for his comfort.
"You can't always tell when this stuff is legit," Ziots said.
"You're sending zero-day flaws out to the masses, giving more code
to the hackers so they can add it to the next worm. For IT
professionals it raises the risk and means more work and more money
to respond. It's another irresponsible disclosure under the guise
of getting researchers paid for their work."
Others see little impact
While many IT pros worry about the negative impact WabiSabiLabi
could have on security, some said it's unlikely the organization
could tip the balance one way or the other. Pete Herzog, managing
director of the Institute for Security and Open Methodologies
(ISECOM), said it's unfortunate that WabiSabiLabi has gotten so
much media attention.
"It adds nothing, good or bad, to the state of software
security," he said in an email exchange. "This isn't really
vulnerability disclosure. This is like selling alternative medicine
on eBay, where you won't know what you are really getting because
the same people who 'impartially' tell you it's copasetic are the
same ones making a buck on it."
Charlie Burton, a senior technical analyst for a Colorado-based
travel services company, also sees little threat from
WabiSabiLabi.
"There are huge numbers tossed around about the number of
zero-day vulnerabilities that are out, but many are marginal in
terms of risk," he said in an email exchange. I don't see
WabiSabiLabi as adding a serious threat in that most significant
vulnerabilities are exposed on the Internet soon after being
discovered, anyway."
A viable business model?
WabiSabiLabi did not immediately respond to an interview request,
though Zampariolo defends the organization's mission on the
WabiSabiLabi Web site.
"Our intention is that the marketplace facility on WSLabi will
enable security researchers to get a fair price for their findings
and ensure that they will no longer be forced to give them away for
free or sell them to cyber-criminals," he said.
Researchers can submit their findings to the exchange once they
have registered. The organization will then run the findings
through its lab to verify the flaw works, he said. It will then
package the findings as a proof of concept that can be sold to the
marketplace by auction with a predefined starting price. The proof
of concept could also be sold to as many buyers as possible at a
fixed price or exclusively sold to one buyer, Zampariolo said.
But many in the security community are
skeptical as to whether WabiSabiLabi is even a
viable business model. Indeed, some have already moved to
undermine the operation.
Tuesday, a member of the Milw0rm forums posted a
proof-of-concept exploit for a Linux kernel
flaw WSLabi was trying to sell. In the introduction to the code
on Millw0rm, the author wrote: "For free!!! ( worth 600 EUR in
zerobay! )." [WSLabi has quickly acquired the nickname ZeroBay in
security circles.]