Auction Site for Vulnerabilities
I have been thinking about this business model. Who will buy these vulnerabilities? A friend said that the prices will keep the script kiddies away. That is not true. If you know where to look you can still buy a legit credit card for under $20. What will keep the kiddies out is the due diligence that WabiSabiLabi said they will do when evaluating buyers. What about the vendors themselves? Would Yahoo pay $2500 for a vulnerability in Yahoo Messenger? To me that seems a bit like blackmail. I think once a company goes down the road of paying for bugs there would be no turning back.
I think the most likely consumers would be security vendors. Network IPS and endpoint security vendors would be at the top of my list. From a marketing standpoint I can see where a vendor would like to be the first one to announce they have protection against this new threat. If you disagree take a look at TippingPoint and their Zero Day Initiative. Why do you think they buy vulnerabilities? For the common good of all Internet citizens?? No. It’s to protect their customers. They list it as reason #3 on their web site. It’s reason #1.
Jeremiah at WhiteHat Security made a good point when he said “All this would take is a couple of successful transactions, and it could cause a big shift in the way we traditionally think about the vulnerability disclosure process”.
I think this will die on the vine unless we see a couple of those successful transactions.