Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:38 AM
Connect Directly

Microsofties Check Out Vulnerability Auction Site at Blue Hat

WabiSabiLabi participates in closed-door Microsoft summit of security researchers and Microsoft staff

Symantec is there, and so are Sourcefire and TippingPoint, but the most surprising speaker invited to Microsoft's exclusive, closed-door Blue Hat summit this week in Redmond, Wash., is WabiSabiLabi, the controversial online auction site for buyers and sellers of vulnerabilities. (See An Auction Site for Vulnerabilities and WabiSabiLabi on Deck at Blue Hat.)

Roberto Preatoni, strategic director for the Switzerland-based WSLabi, says he welcomed the opportunity to shed some light on the site's operations and dispel misconceptions about it. He told Microsoft yesterday that so far, WSLabi's buyers are security companies, and its sellers are either security companies or independent researchers.

Blue Hat is Microsoft's twice-yearly closed-door summit between hackers and Microsoft's own researchers and security product execs. Other speakers there this week are researchers from IO/Active (Dan Kaminsky), SPI Dynamics, Coseinc, Leviathan, and Sabre Security (Halvar Flake), as well as Microsoft's own researchers.

But it was WSLabi's presentations that turned heads. WSLabi, which promises confidential transactions between buyers and sellers of software vulnerabilities, has been criticized for commoditizing bug research and selling bugs to the highest bidder. WSLabi so far has logged over 1,000 subscriptions to its site, and has received 128 vulnerabilities, eight of which have been transacted online so far, according to Preatoni. Currently, the site shows 15 bugs on the online marketplace, but none have been bidden on as yet.

The marketplace's founders say they started the auction site because the responsible disclosure policy honored by many security researchers has been abused by security vendors, which basically get the bugs for free. That, they say, has led some researchers to go to the dark side to actually make money, selling their bugs to cybercriminals.

WSLabi's critics worry that it won't be easy to determine just how a buyer will actually use the bug -- for legitimate or nefarious purposes. And, many major software firms already have policies not to purchase vulnerabilities at all, they say.

Preatoni argues that bad guys wouldn't risk doing business on WSLabi. "There is a vetting process in place in which the potential buyer has to go through a series of checks, including matching the provided ID information with the bank account information," he says. "A criminal wouldn't accept the risk of buying from our marketplace if his ID is properly checked."

Preatoni says WSLabi has profiled the main visitors to its site, and so far the most frequent are Cisco, Microsoft, IBM, Veritas, Symantec, F-Secure, the U.S. Army, Oracle, VeriSign, and SAP, in that order.

To date, zero-day bugs and related proof-of-concepts have sold on WSLabi from anywhere between a few hundred euros to 5,000 euros, Preatoni says. WSLabi gets a 10 percent cut from each sale, and also maintains a vulnerability database as a service.

Meanwhile, Preatoni admits he was a bit surprised by Microsoft's invitation for him to participate at Blue Hat, but that WSLabi already had forged some key relationships with Microsoft's security people. "Microsoft is today the only vendor who is actively seeking to establish good relationships with the researcher community by meeting people at the various security conferences and workshops around the world," he says.

So how was WSLabi received by Microsofties at Blue Hat so far? "Very much positive overall. The attendees were pleased to hear about our project, we didn't hear much criticism," he says. "But again, they were all young people, very much open-minded."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Microsoft Corp. (Nasdaq: MSFT)
  • WabiSabiLabi Ltd.
  • Symantec Corp. (Nasdaq: SYMC)
  • TippingPoint Technologies Inc.
  • Sourcefire Inc. (Nasdaq: FIRE)

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Inside the Ransomware Campaigns Targeting Exchange Servers
    Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
    Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
    Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2021-04-13
    The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To...
    PUBLISHED: 2021-04-13
    When starting Apache Solr versions prior to 8.8.2, configured with the SaslZkACLProvider or VMParamsAllAndReadonlyDigestZkACLProvider and no existing security.json znode, if the optional read-only user is configured then Solr would not treat that node as a sensitive path and would allow it to be rea...
    PUBLISHED: 2021-04-13
    In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "...
    PUBLISHED: 2021-04-13
    When using ConfigurableInternodeAuthHadoopPlugin for authentication, Apache Solr versions prior to 8.8.2 would forward/proxy distributed requests using server credentials instead of original client credentials. This would result in incorrect authorization resolution on the receiving hosts.
    PUBLISHED: 2021-04-13
    Siren Federate before 6.8.14-10.3.9, 6.9.x through 7.6.x before 7.6.2-20.2, 7.7.x through 7.9.x before 7.9.3-21.6, 7.10.x before 7.10.2-22.2, and 7.11.x before 7.11.2-23.0 can leak user information across thread contexts. This occurs in opportunistic circumstances when there is concurrent query exec...