An Auction Site for Vulnerabilities
Not to sure about this concept. On one hand having the vulnerabilities available to anyone is good thing for whitehats and security professionals alike. But making it available to everyone means that if the vulnerability is good and someone wants to get into mischief, for the right price, they could cause a lot of grief. I will have to assume time will tell since the site is live.
JULY 5, 2007 | Discover a security flaw in a major application or system? You can’t sell it on eBay. But starting this week, you can sell it on a new auction site that’s not too much different.
WabiSabiLabi, whose marketplace opened for trading on Tuesday, is aiming to change the back-room market for security vulnerabilities and move it into the mainstream. Any researcher who finds a flaw can register to sell it on WSLabi’s marketplace. WSLabi, a “neutral, vendor-independent Swiss laboratory,” checks out the vulnerabilities and verifies their validity in its own labs before allowing them to be auctioned.
“This thing could definitely have legs,” says Jeremiah Grossman, CTO of WhiteHat Security. “I’ve heard people talk about selling exploits for a while, auction-style or otherwise, but this is the first auction implementation I’ve seen. All this would take is a couple of successful transactions, and it could cause a big shift in the way we traditionally think about the vulnerability disclosure process.”
There currently are four auctions going in the WabiSabiLabi marketplace, including a Linux kernel memory leak vulnerability that starts at 500 euros.
Full article and source: Dark Reading
