Auction Site for Vulnerabilities
I remember last year someone tried to sell a Microsoft flaw (I think it was Microsoft?) on eBay. The auction was quickly taken down citing eBay’s terms of use / service violation. Last week WabiSabiLabi opened its doors as an online auction house for vulnerabilities. I took a look today and there a several vulnerabilities including SquirrelMail and Yahoo Messenger vulnerabilities. The prices range from a few hundred Euros to 2500 Euros.
I have been thinking about this business model. Who will buy these vulnerabilities? A friend said that the prices will keep the script kiddies away. That is not true. If you know where to look you can still buy a legit credit card for under $20. What will keep the kiddies out is the due diligence that WabiSabiLabi said they will do when evaluating buyers. What about the vendors themselves? Would Yahoo pay $2500 for a vulnerability in Yahoo Messenger? To me that seems a bit like blackmail. I think once a company goes down the road of paying for bugs there would be no turning back.
I think the most likely consumers would be security vendors. Network IPS and endpoint security vendors would be at the top of my list. From a marketing standpoint I can see where a vendor would like to be the first one to announce they have protection against this new threat. If you disagree take a look at TippingPoint and their Zero Day Initiative. Why do you think they buy vulnerabilities? For the common good of all Internet citizens?? No. It’s to protect their customers. They list it as reason #3 on their web site. It’s reason #1.
Jeremiah at WhiteHat Security made a good point when he said “All this would take is a couple of successful transactions, and it could cause a big shift in the way we traditionally think about the vulnerability disclosure process”.
I think this will die on the vine unless we see a couple of those successful transactions.