“Guns don’t kill people…”
This is a situation that I’m torn on. I am all for full disclosure but, selling vulnerabilities to the highest bidder smacks of a black market from the darker days in Liberia. The founders of this new site claim that this will help to, er, encourage vendors to patch their software in a timely manner. But, what’s to say the aforementioned vulnerabilities would not be sold to the criminal element? Last time I checked the bad guys did not wear black hats and masks. The criminal element can show up anywhere. A case in point is the arrest yesterday of a police officer in Toronto who is alleged to be a part of an international drug operation.
So, how will the bad guys be weeded out? From the article we find this, “So far, no bids have been posted, possibly because of delays in identifying the buyers, each of whom must use snail mail or fax to deliver proof of their identity and their bank account.” Wow, I guess identity theft is a thing of the past. This really doesn’t seem like all that good of an idea.
I’ll mull it over some more.
From ZDNet:
An eBay-like auction site that sells vulnerabilities will improve security by ensuring researchers get a fair price for their work, say the founders.
“The existing business model to reward researchers is a failure,” said Herman Zampariolo, chief executive of WSLabi, and the man behind the WabiSabiLabi auction site. A tiny minority of vulnerabilities currently get patched, he said, because IT experts aren’t paid for their work in uncovering them: “If the firemen are not paid, it’s not easy to extinguish a fire.”
“As long as vulnerabilities are bought and sold privately, the value can’t be the right one,” Zampariolo said. “Our intention is that the marketplace facility on WSLabi will enable security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell them to cybercriminals,” he added.
The site currently holds a remote buffer overflow in Yahoo Messenger, a Linux kernel memory leak, an SQL injection flaw in MKPortal and a SquirrelMail problem.
Although researchers analysed around 7,000 vulnerabilities last year, he reckons the actual number of vulnerabilities found in code per year could be 139,362 — a curiously exact figure, originally quoted by Gunter Ollmann of security company ISS, now an IBM subsidiary.
[tags]Exploits For Sale, WabiSabiLabi, Vulnerabilities for Sale[/tags]
Comments