• PC World
• »Security

There are many ways vulnerability information can get out to the industry but a controversial new site, auctioning such information to the highest bidder, may be the wave of the future.

The auction service, called WabiSabiLabi, lets potential sellers and buyers connect e-Bay-style, with timed bidding periods and minimum starting prices. Founders of the wslabi.com site say their auction house serves the researchers who discover vulnerabilities and often don't reap monetary rewards for their time and talent.

The business model is based on a practice that e-Bay shut down 16 months ago saying it promoted illegal activity. At the recent Black Hat show, published reports stated that 88 percent of respondents to an online poll said using such sites is dangerous. While it is accepted that researchers deserve to be paid for their work, selling to the highest bidder is frowned upon.

WabiSabiLabi disagrees, saying its e-marketplace, where any qualified buyer can bid, will actually discourage those who discover vulnerabilities from selling them on black markets to criminals who try to turn them into money.

The company says it checks out buyers and sellers before they can trade. "We are very aware about the risks of selling vulnerabilities, and this is why we subject buyers to deeper scrutiny, to minimize the risk of selling the wrong information to the wrong people," WabiSabiLabi says in its ethics statement. "We require non-anonymity from buyers and sellers alike. The stakes are just too high at this point in history."

Even so, the marketplace, which started business six weeks ago, is being eyed cautiously by entities dedicated to eliminating vulnerabilities quickly to avoid criminal exploitation.

"I don't think it's necessarily good for the community," says Jason Greenwood, the general manager of VeriSign's iDefense team, which pays bounties -- sometimes tens of thousands of dollars -- to researchers who discover vulnerabilities. "It will increase the perceived value of vulnerabilities, and the good guys already have trouble competing with the money you can get on the black market."

"There's a real danger that a number of these vulnerabilities will be purchased by buyers who do not turn them over to the vendors," says Terri Forslof, manager of security response for Tipping Point. "Once a vulnerability is turned over to a vendor its value starts to depreciate immediately. If someone paid lots of money for a vulnerability -- say US$75,000 to $100,000 -- I guarantee they're not giving it to the vendor. Otherwise they've wasted their money."

VeriSign and its competitor Tipping Point, for example, both pay cash for significant vulnerability discoveries in an effort to plug software holes before they can be exploited. The companies then work with the vendors whose software is compromised to find fixes and publish the vulnerabilities.

VeriSign runs quarterly challenges paying as much as $15,000 for researchers to find particular types of vulnerabilities in particular platforms, Greenwood says. Tipping Point ranks contributing vulnerability researchers as bronze, silver, gold and platinum depending on the quantity and quality of their discoveries, according to its description of Tipping Point's Zero Day Initiative. It rewards them with cash bonuses up to $25,000 and pays their way to the Defcon and Black Hat security conferences.

Underground markets pay as much or more, experts say. Charlie Miller of Independent Security Evaluators, says he sold a Linux Daemon vulnerability for $50,000 to an organization he approached directly. But he had no idea whether somebody else would have paid much more, he says in a talk delivered at Carnegie Mellon University's Workshop on the Economics of Information Security earlier this year.

"I had no way to know the fair market value of this exploit," he says in his paper, "The Legitimate Vulnerability Market; Inside the Secretive World of 0-Day Exploit Sales," which he delivered at the conference. "I may have been off by a factor of 10 or more."

Money isn't the motivation behind most of the vulnerabilities reported to entities that will try to fix them, says Art Manion, team leader for vulnerabilities at Carnegie Mellon's Software Institute CERT program, a nonprofit that acts as a go-between for researchers and software vendors.

"They desire to get the vulnerability out in the open and get the credit for it," he says. "We don't pay for vulnerabilities," but the software vendors may.

Researchers go through CERT, he says, because dealing with the software vendors themselves can be tedious, time consuming and aggravating. "They may not want to deal with the vendors. If it's a protocol problem, they might have to tell 60 or 70 vendors. "It's lots of work, and CERT will do it," Manion says.

CERT's goal is to get the vulnerabilities published as soon as possible, he says, making the flaws next to worthless to criminals. Their goal ideally is to run exploits before vulnerabilities have been identified when they can do maximum damage, he says.

About 16 months ago, a Microsoft vulnerability was posted on e-Bay and was taken down by the site after Microsoft complained. E-Bay says the sale violated its policy against enabling criminal activity.

WabiSabiLabi this week listed four vulnerabilities for sale, two against Windows Server 2003, one against Windows XP and one against WordPress 2.2.2. None had bids, but that doesn't tell much by itself, says Greenwood.