Online auction for security bugs

Online auction house WabiSabiLabi has been created in order to prevent flaws getting in to the hands of hi-tech criminals by rewarding researchers that find them. There is known to be a ready market for vulnerabilities on the digital underground. Many criminal groups prefer to use vulnerabilities for their own ends to steal information or hijack computers rather than have any malicious hacker using them. The independent auction house aims to staunch the flow of vulnerabilities to the underground by giving security researchers a legitimate marketplace for what they find.

Herman Zampariolo, head of WabiSabiLabi added that it could tempt many researchers to report findings they would otherwise keep quiet about, meaning many more vulnerabilities get reported. Once a vulnerability is reported, WSLabi will confirm it is real and that it can be exploited. After this it will be placed on the auction site where it can be sold to the highest bidder or sold to just one firm. WSLabi said it would ensure that all those who buy the vulnerabilities were legitimate.

News source: BBC News

Report a problem with article
Previous Story

Microholography milks 500GB out of DVD-sized discs

Next Story

Solaris to Get Linux Features

11 Comments

the only legitimate use is to give it to the software vendor with the issue so they can fix it. there is no legitimate use for a vulnerability, except in console hacking etc, i.e PSP GTA crack but still this is not really legitimate

i disagree, i see it as hurting everyone, companies will need to pay this company to find out about one of their vulnerabilities, rather than security experts informaing the compnay for free, sounds like scam to get lots of money out of software vendors who don't want their vulnerabilities gettign out in the open.

there is no good or legitimate reason for this website to even exist

So - what we have here now with WabiSabiLabi is an actual marketplace for vulnerabilities?

Let the exploit-wars begin! Instead of the Cold War we now have an electronic version of it, where the best vuln's are to be had for coin or script.

Express - those listings for the Linux vulns can't be true and honest; I've had people tell me for years that there aren't any vulns for Linux, and that's why (in their own words) "Linux pwns Windows".

:cheeky:

please don't tell me you believe that :)

this is bad for all reasons, no good can come of this. whoever pays the most money gets to exploit the vbulnerability first and make the most money from it. bad bad bad. bad idea.

if linux had no vulns then could u explain my last redhat box about 5years ago getting owned in everywhich way just because of a sendmail exploit?

I think the thing about Linux is not that it doesn't have vulnerabilities, but that the vulnerabilities are easier to find (anyone can see the code) and easy to fix (anyone can fix them). You're not at the mercy of a single company waiting for them to fix it.

What I don't really understand is - what is the market for vulnerabilities? Sure, the company who's product is vulnerable will value it, but the only other people who will are hackers, who are excluded from this auction system...

exactly my point, the only legitimate user for exploits is the manufactuer, so that they can fix them. I woudl like to know how they exclude hackers, is there a list of hackers around, anyone can make up a legitimate company buy a vulnerability and sell it off to dodgy people, there is no way to keep these vulnerabilities safe. like i said the only legitimate use is to fix it.

i thnk this is in no way helping the security industry, it makes it a whole lot worse. they are not preventing anythign instead they are speeding up the process and making it ewasier for cyber crooks to do dodgy things.

The MANUFACTURER si the only person that NEEDS to know about a vulnerability, any other use is going to be dodgy.

Commenting is disabled on this article.