Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

An Auction Site for Vulnerabilities

WabiSabiLabi takes buying and selling of security vulnerabilities mainstream with first above-board, eBay-like auction site

Discover a security flaw in a major application or system? You can't sell it on eBay. But starting this week, you can sell it on a new auction site that's not too much different.

WabiSabiLabi, whose marketplace opened for trading on Tuesday, is aiming to change the back-room market for security vulnerabilities and move it into the mainstream. Any researcher who finds a flaw can register to sell it on WSLabi's marketplace. WSLabi, a "neutral, vendor-independent Swiss laboratory," checks out the vulnerabilities and verifies their validity in its own labs before allowing them to be auctioned.

"This thing could definitely have legs," says Jeremiah Grossman, CTO of WhiteHat Security. "I've heard people talk about selling exploits for a while, auction-style or otherwise, but this is the first auction implementation I've seen. All this would take is a couple of successful transactions, and it could cause a big shift in the way we traditionally think about the vulnerability disclosure process."

There currently are four auctions going in the WabiSabiLabi marketplace, including a Linux kernel memory leak vulnerability that starts at 500 euros.

The marketplace's founders say they believe the "ethical disclosure" policy followed by many security researchers is costing them money. "The system introduced by 'ethical disclosure' has been historically abused by both vendors and security providers in order to exploit the work of security researchers for free," the auction site says.

"This happens only in the IT security field," the site states. "Nobody in the pharmaceutical industry is blackmailing researchers (or the companies that are financing the research) to force them to release the results for free under an ethical disclosure policy.

"In this view, WabiSabiLabi has a not-for-free-disclosure policy, explicitly aiming to reward researchers," the founders state. "The only free information available to both vendors and public will be the general information on each piece of security research listed on the marketplace, which will be enough to understand the issues introduced by each security research, without disclosing any sensible technical detail."

"Recently it was reported that although researchers had analyzed a little more than 7,000 publicly disclosed vulnerabilities last year, the number of new vulnerabilities found in code could be as high as 139,362 per year," said WSLabi CEO Herman Zampariolo, in a written statement. "Our intention is that the marketplace facility on WSLabi will enable security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell them to cyber-criminals."

WSLabi states that the research can only be sold under the condition that "the provided security research material must not come from an illegal source/activity." The site does not say which country's laws it will use to define the term "illegal" -- Germany, for example, recently adopted legislation that essentially outlaws all unauthorized access of computers, even for security research.

Researchers who have seen the site say their first concern is who will be allowed to buy the vulnerabilities. WSLabi says it will "carefully evaluate" all potential buyers "to minimize the risk of selling the right stuff to the wrong people." But the site does not describe its process for doing the vetting, other than requesting a phone number and a faxed copy of an identity card.

"My main fear with this type of thing is that it is difficult to differentiate between a legitimate buyer and someone who simply wants to use the vulnerability for nefarious purposes," says Robert Hansen (a.k.a. RSnake), CEO of SecTheory LLC. "Many of the biggest players in the software industry have said time and time again that they will not buy vulnerabilities, in the same way that the U.S. does not negotiate with terrorists."

WSLabi says it will help researchers design the best-selling scheme and starting price for their discoveries, "enabling them to maximize the value of their findings. A piece of research that would currently sell to one company on an exclusive basis for $300 to $1,000 could sell for ten to twenty times more than this amount using the portal," the auction site says.

The site works much like eBay, with options for Dutch auctions, Buy Now, and a definite running time for each auction. Sellers can choose to sell exclusively to a single buyer or to multiple purchasers. WSLabi did not disclose how much it charges to test the vulnerabilities and act as a broker for each sale.

"I'd expect several researchers to give it a try," Grossman says.

— Tim Wilson, Site Editor, Dark Reading

  • WabiSabiLabi Ltd.
  • WhiteHat Security
  • SecTheory LLC Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    How to Better Secure Your Microsoft 365 Environment
    Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
    Attackers Leave Stolen Credentials Searchable on Google
    Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win an Amazon Gift Card! Click Here
    Latest Comment: This comment is waiting for review by our moderators.
    Current Issue
    2020: The Year in Security
    Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
    Flash Poll
    Assessing Cybersecurity Risk in Today's Enterprises
    Assessing Cybersecurity Risk in Today's Enterprises
    COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2021-01-27
    WinSCP before 5.17.10 allows remote attackers to execute arbitrary programs when the URL handler encounters a crafted URL that loads session settings. (For example, this is exploitable in a default installation in which WinSCP is the handler for sftp:// URLs.)
    PUBLISHED: 2021-01-27
    The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.
    PUBLISHED: 2021-01-27
    A heap-based buffer overflow issue has been identified in the way the application processes project files, allowing an attacker to craft a special project file that may allow arbitrary code execution on the Tellus Lite V-Simulator and V-Server Lite (versions prior to
    PUBLISHED: 2021-01-27
    Multiple out-of-bounds write issues have been identified in the way the application processes project files, allowing an attacker to craft a special project file that may allow arbitrary code execution on the Tellus Lite V-Simulator and V-Server Lite (versions prior to
    PUBLISHED: 2021-01-27
    Multiple out-of-bounds read issues have been identified in the way the application processes project files, allowing an attacker to craft a special project file that may allow arbitrary code execution on the Tellus Lite V-Simulator and V-Server Lite (versions prior to