Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

eBay for hackers launched

Swiss firm launches security bug auction site.

Article comments

A Swiss security firm called WabiSabiLabi has opened a web marketplace for zero-day security vulnerabilities.

The site will sell details on unpatched software flaws. The site is currently offering details on four bugs in products such as the Linux kernel and Yahoo Messenger. No bids have yet been registered, but asking prices for the research ranged between €500 and €2,000.

WabiSabiLabi argues that the computer industry's ethical disclosure policies have led to a raw deal for security researchers, who typically are not paid for disclosing vulnerabilities.

"Nobody in the pharmaceutical industry is blackmailing researchers (or the companies that are financing the research), to force them to release the results for free under an ethical disclosure policy," the WabiSabiLabi website states. Representatives from WabiSabiLabi could not immediately be reached for comment.

The company bills its marketplace as a way for "security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell them to cyber-criminals."

But to David Perry at Trend Micro it looks like something else. "It's going to be eBay for vulnerabilities," he said.

Although WabiSabiLabi says it will sell details only to legitimate buyers, Perry is concerned that the site could be used to put dangerous information into the hands of criminals.

"We're looking at the potential of cyber warfare coming up," said Perry, who is Trend Micro's global director of education. "Now we're going to peddle vulnerabilities in a winner-takes-all auction. How do we know who's good and who's bad when we do this?"

Security researcher Cesar Cerrudo said that while it's uncommon for researchers to go underground to sell their vulnerabilities, it does happen. "Researchers will try to get money in the easier and faster way, and sometimes that can only be done in the black market," said Cerrudo, CEO of Argeniss Information Security.

WabiSabiLabi is run by Herman Zampariolo, formerly CEO of Italian networking vendor iLight. It lists Roberto Preatoni, founder of the Zone-h cyber-defacement website, as its strategic director.

Like eBay, WabiSabiLabi offers sellers a variety of options. Research can be offered at a fixed price, sold at auction, or sold to a number of different buyers in what is known as a Dutch auction.

WabiSabiLabi will test the research to make sure the vulnerabilities operate as advertised, and the company will also vouch for the sellers and buyers, who can remain anonymous and trade under nicknames.

Companies such as VeriSign's iDefense Labs and 3Com's TippingPoint division have offered cash for this type of research before, but this is the first time that such an open marketplace has been created, Perry said.

Argeniss's Cerrudo doesn't share Perry's fear of the vulnerabilities being misused. "This is already happening in the underground," he said, "but with a public service like this, I think things are a little clearer."



Share:

More from Techworld

More relevant IT news

Comments

fiskjäveln said: Is it I think that the underworld has quite enough money to buy the exclusive information about a 0day-exploit What f the highest bidder is one of those people rather than the creators of the software

geopoet said: This is one of the breakthroughs that need to be pursued making sure that security matters is well traced and protected Hackers could have their fine time to search through and test vulnerabilities of systems that are yet to be fortifiedBut I hope that this would not make the whole internet business up for monopoly among a few



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *