Zero-day auction site highlights ethical debate

The recent news that a Swiss start-up has begun selling vulnerability information on an eBay-style site had an air of inevitability about it. The only real question was why it took so long for someone to get this idea off the ground.

Things have been pointing this way for some time now. Researchers, crackers and others who spend significant amounts of time disassembling software code have been selling vulnerability data to the highest bidder in private auctions for decades. Even government agencies have gotten in on the bidding in some cases. More recently, organisations such as TippingPoint's Zero Day Initiative and VeriSign's iDefense unit have been paying for unpublished vulnerabilities for several years. Both companies have taken a lot of heat from researchers and software vendors for their tactics, but the complaints haven't slowed down the flood of submissions.

Now we have WabiSabiLabi, the vulnerability auction site launched earlier this month with a handful of bugs for sale. Aside from the genesis of the unfortunate name, there are two main questions that arise right away after taking a look at the site: Is this a viable business model? And, Should researchers be selling their findings to the highest bidder?

Let's address the more interesting of these first. Debates on the ethics of vulnerability disclosure, how much information to reveal, when to do it and how much time to give the vendor to patch have been raging for years. Leaving aside the question of full disclosure for the purposes of this discussion, the issue boils down to whether researchers have the right to do whatever they wish with the vulnerabilities they find. The answer is a qualified yes. Researchers doing original work on their own time should have the ability to do what they choose with the results of their work, within reason. No one is suggesting that people should be selling fully weaponised exploits to spam gangs or foreign governments. But selling details of a new vulnerability to an organisation planning to use it for penetration testing or to disclose it to the vendor is just a logical outgrowth of the free enterprise system.

About Behind The Firewall: In his weekly column, Executive Editor Dennis Fisher sounds off on the latest issues affecting the information security community.  Recent columns: IBM, HP reshape Web app security market The next security acquisition? Here's a wish list Eyeing unnoticed security researchers

Or at least that's how it would work in a perfect world. But, despite assurances from the folks behind WSLabi and similar programs, there's no practical way to guarantee that the buyer of a particular vulnerability won't simply turn around and resell it or hand the details over to someone with less-than-pure intentions. So far this hasn't been an issue, but if there is enough money at stake, nothing is out of the question.

The money part of the equation is one reason that this full-disclosure discussion is still ongoing after so many years. The opportunities for researchers to make a living wage from their work have been few and far between until quite recently, when software vendors and consulting firms began hiring them in droves. Before that, researchers could either quietly disclose their vulnerabilities to the vendors and hope that the companies were nice enough to mention them in their advisories, or they could post the details to a mailing list or Web site. Many researchers took the latter route and in the process built up enough of a name for themselves that they were able to either start their own consulting companies or get hired on at one of the vendors. So it's difficult to fault the researchers who have found willing trading partners in ZDI, WSLabi and others.

The question of whether this auction model will ultimately be a successful one is more straightforward. The only way that the vulnerabilities sold on WSLabi—or to the ZDI or iDefense—have any value is if they're unknown to the vendor and user community at the time of their sale and for some reasonable period of time thereafter. Already it's fairly obvious that the vulnerabilities on WSLabi don't meet this criterion. One of the items up for sale is a proof-of-concept exploit for a locally exploitable flaw in the Linux kernel , a vulnerability that already has a CVE number assigned to it and has been public for several months.

Worse, as Matasano's Dave Goldsmith points out, the auction listings for some of the items give away enough details that a skilled attacker could reverse-engineer the vulnerability without much trouble. That doesn't leave a lot of value for the potential buyer. It's difficult to see how WSLabi will be able to make a go of it this way.

But regardless of whether this particular effort succeeds, it's clear that the days of researchers giving away their work for free are long gone. It's now simply a question of who ponies up the most money.