The creators of WabiSabiLabi, a new eBay-like marketplace for zero-day flaws, say their cause is noble. But as far as some IT security pros are concerned such endeavours make their jobs difficult.
Ernie Hayden, the CISO of the Port of Seattle, said the site is a money making venture that will only make it easier for attack code to fall into sinister hands.
"When I heard about WabiSabi, my first thought was that they can't be serious," Hayden said. "I'll bet you this helps the criminals because it gives them one more reference in the marketplace. It hurts the industry by making flaws more transparent, and it's one more way of saying the security industry is broken."
WabiSabiLabi CEO Herman Zampariolo said the portal was established to sell security research because few researchers are able or willing to report their findings to the right people out of fear of being exploited. He said tough measures are in place to ensure researchers and buyers are legitimate and that their intentions are geared toward better security rather than malicious deeds.
But Hayden and other security pros have no confidence in the WabiSabiLabi screening process. It's very difficult to weed out a bad seed if they are anonymous, Hayden said, noting that eBay has had its problems with people taking advantage of the process.
"How can you possibly prove someone is as trustworthy and legitimate as they say they are?" he asked. "Let's say I'm ticked at Adobe. I can start putting a bunch of stuff on this site and it may not be accurate, but Adobe still has to respond and their reputation can be hurt by it."
When a flaw is discovered, Hayden said the only responsible action is to report it to the vendor.
"It's not OK to release flaw details if a vendor hasn't fixed it after a certain period of time," he said.
This isn't the first time that a company sought to make money by making flaws available for a price, though it does appear to be the first instance where an open marketplace has been established for it. VeriSign Inc.'s iDefense Labs and 3Com Corp.'s Tipping Point division both offer payment for vulnerability research, and some see them as examples of irresponsible disclosure.
Critics of iDefense's Vulnerability Contributor Program (VCP), for example, have argued it's nearly impossible to verify the identity of hackers peddling their wares, especially if they want to remain anonymous. They also believe there's no way to control information once it's released to a third party.
Edward Ziots, a network engineer for a health organization in New England, said it may be useful for organizations to acquire flaw details, especially if a company is using it as part of its own penetration testing. But WabiSabiLabi looks too much like a black market for his comfort.
"You can't always tell when this stuff is legit," Ziots said. "You're sending zero-day flaws out to the masses, giving more code to the hackers so they can add it to the next worm. For IT professionals it raises the risk and means more work and more money to respond. It's another irresponsible disclosure under the guise of getting researchers paid for their work."
Others see little impact
While many IT pros worry about the negative impact WabiSabiLabi could have on security, some said it's unlikely the organization could tip the balance one way or the other. Pete Herzog, managing director of the Institute for Security and Open Methodologies (ISECOM), said it's unfortunate that WabiSabiLabi has gotten so much media attention.
"It adds nothing, good or bad, to the state of software security," he said in an email exchange. "This isn't really vulnerability disclosure. This is like selling alternative medicine on eBay, where you won't know what you are really getting because the same people who 'impartially' tell you it's copasetic are the same ones making a buck on it."
Charlie Burton, a senior technical analyst for a Colorado-based travel services company, also sees little threat from WabiSabiLabi.
"There are huge numbers tossed around about the number of zero-day vulnerabilities that are out, but many are marginal in terms of risk," he said in an email exchange. I don't see WabiSabiLabi as adding a serious threat in that most significant vulnerabilities are exposed on the Internet soon after being discovered, anyway."
A viable business model?
WabiSabiLabi did not immediately respond to an interview request, though Zampariolo defends the organization's mission on the WabiSabiLabi Web site.
"Our intention is that the marketplace facility on WSLabi will enable security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell them to cyber-criminals," he said.
Researchers can submit their findings to the exchange once they have registered. The organization will then run the findings through its lab to verify the flaw works, he said. It will then package the findings as a proof of concept that can be sold to the marketplace by auction with a predefined starting price. The proof of concept could also be sold to as many buyers as possible at a fixed price or exclusively sold to one buyer, Zampariolo said.
But many in the security community are skeptical as to whether WabiSabiLabi is even a viable business model. Indeed, some have already moved to undermine the operation.
Tuesday, a member of the Milw0rm forums posted a proof-of-concept exploit for a Linux kernel flaw WSLabi was trying to sell. In the introduction to the code on Millw0rm, the author wrote: "For free!!! ( worth 600 EUR in zerobay! )." [WSLabi has quickly acquired the nickname ZeroBay in security circles.]