main
Report a problem

Online auction for security bugs

Slimy   on 07 July 2007 - 23:11 · 12 comments & 5552 views

Advertisement (Why?)
Online auction house WabiSabiLabi has been created in order to prevent flaws getting in to the hands of hi-tech criminals by rewarding researchers that find them. There is known to be a ready market for vulnerabilities on the digital underground. Many criminal groups prefer to use vulnerabilities for their own ends to steal information or hijack computers rather than have any malicious hacker using them. The independent auction house aims to staunch the flow of vulnerabilities to the underground by giving security researchers a legitimate marketplace for what they find.

Herman Zampariolo, head of WabiSabiLabi added that it could tempt many researchers to report findings they would otherwise keep quiet about, meaning many more vulnerabilities get reported. Once a vulnerability is reported, WSLabi will confirm it is real and that it can be exploited. After this it will be placed on the auction site where it can be sold to the highest bidder or sold to just one firm. WSLabi said it would ensure that all those who buy the vulnerabilities were legitimate.

News source: BBC News

Share this Article

  • Technorati
  • Magnolia
  • Stumble upon it
  • Reddit
  • Blink List
  • Delicious
  • Slashdot
  • Furl
  • Facebook
  • Windows Live
  • Google
  • Newsvine
  • Yahoo
  • RawSugar
  • Netvouz

About the Author

Full name: Unknown
User name: Slimy
Contact: via forum PM
Submissions: View All
More: View Profile

Related news

 

Post a comment · Send to friend Comments · There are 12 additional comments
(1 reply) #1 SkyyPunk on 07 Jul 2007 - 23:17
Quote -
WSLabi said it would ensure that all those who buy the vulnerabilities were legitimate.

#1.1 whocares78 on 10 Jul 2007 - 08:36
the only legitimate use is to give it to the software vendor with the issue so they can fix it. there is no legitimate use for a vulnerability, except in console hacking etc, i.e PSP GTA crack but still this is not really legitimate
(1 reply) #2 Croquant on 08 Jul 2007 - 00:22
This sort of thing should be illegal, but that would just drive it back underground where it's always been. At least this way the security companies can watch what's going on without having to resort to subterfuge and espionage.
#2.1 whocares78 on 10 Jul 2007 - 08:48
i disagree, i see it as hurting everyone, companies will need to pay this company to find out about one of their vulnerabilities, rather than security experts informaing the compnay for free, sounds like scam to get lots of money out of software vendors who don't want their vulnerabilities gettign out in the open.

there is no good or legitimate reason for this website to even exist
#3 Express on 08 Jul 2007 - 00:33
I am surprised that people are actually bidding.
http://www.wslabi.com/wabisabilabi/initPublishedBid.do?

Bids on Linux vulnerability and some mail app.
(1 reply) #4 ScottKin on 08 Jul 2007 - 04:47
So - what we have here now with WabiSabiLabi is an actual marketplace for vulnerabilities?

Let the exploit-wars begin! Instead of the Cold War we now have an electronic version of it, where the best vuln's are to be had for coin or script.

Express - those listings for the Linux vulns can't be true and honest; I've had people tell me for years that there aren't any vulns for Linux, and that's why (in their own words) "Linux pwns Windows".


#4.1 whocares78 on 10 Jul 2007 - 08:39
please don't tell me you believe that

this is bad for all reasons, no good can come of this. whoever pays the most money gets to exploit the vbulnerability first and make the most money from it. bad bad bad. bad idea.

#5 DKAngel on 08 Jul 2007 - 13:39
if linux had no vulns then could u explain my last redhat box about 5years ago getting owned in everywhich way just because of a sendmail exploit?
(1 reply) #6 eAi on 09 Jul 2007 - 00:39
I think the thing about Linux is not that it doesn't have vulnerabilities, but that the vulnerabilities are easier to find (anyone can see the code) and easy to fix (anyone can fix them). You're not at the mercy of a single company waiting for them to fix it.

What I don't really understand is - what is the market for vulnerabilities? Sure, the company who's product is vulnerable will value it, but the only other people who will are hackers, who are excluded from this auction system...

Last edited by eAi on 09 Jul 2007 - 00:44
#6.1 whocares78 on 10 Jul 2007 - 08:42
exactly my point, the only legitimate user for exploits is the manufactuer, so that they can fix them. I woudl like to know how they exclude hackers, is there a list of hackers around, anyone can make up a legitimate company buy a vulnerability and sell it off to dodgy people, there is no way to keep these vulnerabilities safe. like i said the only legitimate use is to fix it.
#7 Magallanes on 09 Jul 2007 - 17:50
1- Buy a security bugs.
2- ?????
3- PROFIT!!

#8 whocares78 on 10 Jul 2007 - 08:45
i thnk this is in no way helping the security industry, it makes it a whole lot worse. they are not preventing anythign instead they are speeding up the process and making it ewasier for cyber crooks to do dodgy things.

The MANUFACTURER si the only person that NEEDS to know about a vulnerability, any other use is going to be dodgy.

Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!

Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.

Advertisement (Why?)
News powered by Neowin Management System (Build - 5.0.1390) © 2000 - 2008 Neowin.net