Zero-day auction site opened by Swiss lab

A Swiss organization called WabiSabiLabi Ltd. has started up a marketplace for zero-day flaws that will work much like online auction site, eBay. At least one analyst said the move is almost certain to fuel new debate over how flaws should be disclosed.

Among the first vulnerabilities available for a price is an unpatched buffer overflow flaw in Yahoo! Messenger 8.1 attackers could exploit remotely to execute malicious code on victims' machines. The WabiSabiLabi Web site described the flaw as "remotely exploitable by any user in the victim's address book (some interaction from the victim is required)."

Eric Maiwald, a senior analyst at Midvale, Utah-based Burton Group, said WabiSabiLabi's program could make exploits available to attackers who might not have had them otherwise.

"I don't see this as something responsible," he said. "There will already be people who know about these flaws, but now people who didn't have them before will have an opportunity to get them and as far as [WabiSabiLabi] is concerned it's not their problem. That just doesn't fly."

Maiwald said the startup will add fuel to the wider debate over responsible disclosure, but that he's "not sure this debate really needs more gasoline."

WabiSabiLabi CEO Herman Zampariolo disagrees. He said the portal was established to sell security research because very few researchers are able or willing to report their findings to the right people for fear of being exploited.

Flaw disclosure: Is paying for vulnerability info the right approach? As cyberspace grows more dangerous, is it necessary to gather intelligence from the very people you're trying to stop? Depends who you ask. VeriSign raises stakes in battle for threat intelligence Not to be outdone by 3Com's "Zero-Day Initiative," VeriSign says it'll shell out more cash for hackers who provide vulnerability intelligence. WabiSabiLabi: A marketplace for zero-day flaws.

"Recently it was reported that although researchers had analyzed a little more than 7,000 publicly disclosed vulnerabilities last year, the number of new vulnerabilities found in code could be as high as 139,362 per year," he said in a statement. "Our intention is that the marketplace facility on WSLabi will enable security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell them to cyber-criminals."

He said researchers can submit their findings to the exchange once they have registered. The organization will then run the findings through its lab to verify the flaw works. It will then package the findings as a proof of concept that can be sold to the marketplace by auction with a predefined starting price. The proof of concept could also be sold to as many buyers as possible at a fixed price or exclusively sold to one buyer, Zampariolo said.

"WSLabi will also help researchers to design the best business model (selling schemes, starting selling price etc.) which will enable them to maximize the value of their findings," he said. "For example, a piece of research that would currently sell to one company on an exclusive basis for $300-$1,000 could sell for 10 to 20 times more than this amount using the portal."

Both researchers and buyers will have to identify themselves to WSLabi to ensure they are legitimate, the organization said. Researchers can't submit material from an illegal source or activity. Buyers will also be carefully vetted before they can have access to the auction platform so that the risk of "selling the right stuff to the wrong people" is minimized. The marketplace will be free to use for the first six months for both researchers and buyers, the organization said.

This isn't the first operation where flaws are available for a price, though it does appear to be the first instance where an open marketplace has been established for it. VeriSign Inc.'s iDefense Labs and 3Com Corp.'s Tipping Point division both offer payment for vulnerability research, and some see them as examples of irresponsible disclosure.

Critics of iDefense's Vulnerability Contributor Program (VCP), for example, have argued it's nearly impossible to verify the identity of hackers peddling their wares, especially if they want to remain anonymous. They also believe there's no way to control information once it's released to a third party.

TippingPoint's Zero-Day Initiative (ZDI) has sparked similar concerns, though both VeriSign and 3Com have stressed that they have thorough vetting procedures to keep the bad seeds out.

Those who support such programs have said they are necessary in an age where security pros are struggling to stay ahead of attackers who grow more sophisticated by the day. Such programs give white hat researchers the chance to expose serious flaws while IT pros are able to use the information to adequately defend their companies, advocates have said.