NEWS ANALYSIS: Vulnerability auctions are nothing new

Patrick Gray says the furore over Wabisabilabi's '0bay' Web-site is hype at its worst.

From the hype surrounding a Swiss company's launch of an eBay-style auction site for security vulnerabilities, you'd think the sky was about to cave in.

The truth is that vulnerability information has been traded as a commodity for some time now.

The reaction to news of Wabisabilabi's '0bay' Web-site was nothing short of overkill. It was reported, Slashdotted, blogged and analysed. It's what you can expect when a commercial player moves to legitimise what has traditionally been a black market activity, but it also seems the most important aspects of the debate have been lost.

Think of companies like iDefense, now owned by Verisign. That company bought security vulnerability information from researchers which it would then on-sell to its customers under a subscriber model. When it first publicised its methods, they were regarded as controversial, but the world didn't end. The purchase of security vulnerability information by security companies is now an established and accepted business practice. So we know the act of buying isn't new, it's the idea of selling them on an open marketplace.

Some rather large red herrings flying about the place can also be debunked by considering the following the bad guys are hardly having a rough time finding or buying vulnerabilities as things stand now.

Besides, Wabisabilabi probably can't pull it off anyway; by listing details of the vulnerabilities on its auction site, the vendors are tipped off to the problem and will almost certainly start internal audits to identify the problem themselves, thus devaluing the information offered for sale.

You can't let the cat out of the bag twice.

The Washington Post reported one bug offered on the site -- in the open source webmail package Squirrelmail -- was picked up by the team that maintains the software and then patched. That rendered the bug offered for sale by auction utterly useless.

In fact, a quick glance at the auction site reveals a marketplace that is hardly thriving. Five vulnerabilities were available on the site at the time of writing - including bugs in Yahoo! Instant Messenger 8.1, Linux and Pidgin. The five bugs have attracted three bids so far between them.

The other fact that seems to have gotten lost is this is nothing new at all. Some cheeky fellow actually tried selling an Excel 0day on eBay in 2005, but the online auctioneer pulled the listing. SecurityFocus reported that in 2003 that Greg Hoglund registered the domain to set up a site with the same purpose, before deciding he didn't want the heat that came with the concept. It turned out to be a sensible move, judging from the press Wabisabilabi is getting.

Then there was Finjan's claim last year that it's malware research boffins had found underground vulnerability auction sites actively trading in 0day bugs.

So, after we've boiled this whole thing down, the only issue of consequence is the worry that bad guys could wind up buying vulnerabilities from researchers in an open marketplace.

Surely if the bugs traded through a vulnerability auction site start being used in malware prior to vendor notification, then it would be time to kick up a stink.

Until then, it's just a storm in a teacup.

Read more on Security policy and user awareness