About a month ago, I wrote about a new twist in the world of vulnerability research in which Intellectual Weapons announced that it's offering to work with researchers to develop fixes for security vulnerabilities and then patent those fixes. The idea is to profit through the sale of patent rights or infringement case settlements. If you missed that column you can read it at the URL below: http://www.windowsitpro.com/Articles/ArticleID/96286
By now you probably know that other companies, such as 3Com and iDefense, also have programs that pay researchers for vulnerability information. In those two programs, discoverers receive cash for their hard work, and 3Com and iDefense earn income too by selling the information to their network of customers in one fashion or another. This month yet another company, Switzerland-based WabiSabiLabi (at the URL below), entered the mix by offering an auction platform for vulnerabilities. Researchers submit their vulnerabilities for sale in one of four auction formats (traditional, dutch, buy now, and buy exclusively) and if the vulnerability sells, then the researcher earns money and WabiSabiLabi earns its cut too. https://wslabi.com
Reaction to the auction has been mixed. Some people think it's an incredibly bad idea because there's no telling who might actually buy a vulnerability. Although WabiSabiLabi says that it will diligently work to verify the identity of a buyer, that's no real guarantee because a real bad guy could easily use a front man to do the buying.
Furthermore, WabiSabiLabi leaves it up to the discoverer to inform any particular vendor affected by a vulnerability. This too is another cited bad aspect of the auction site. With this policy, WabiSabiLabi is basically standing behind "traditional Swiss neutrality", as it openly states.
So far, WabiSabiLabi has four vulnerabilities posted for sale, one each for Yahoo! Instant Messenger, SquirrelMail GPG Plugin, Pidgin Instant Messenger, and the Linux kernel. As was pointed out by Montasano Security on its company blog, the nature of GPG problem can be discovered by anyone well-versed in PHP code analysis. And, someone already publicly posted an exploit for the Linux kernel problem. So half of WabiSabiLabi's auction items are already mostly worthless in terms of cash value. And the Linux kernel exploit clearly points out that WabiSabiLabi is already having a negative effect on overall system security around the globe.
According to a statement in a company press release, "\[WabiSabiLabi\] decided to set up this portal for selling security research because although there are many researchers out there who discover vulnerabilities very few of them are able or willing to report it to the right people due to the fear of being exploited."
What I don't completely understand is why any company would willingly pay developers to write code and to put that code through some amount of quality assurance testing yet be totally unwilling to pay an outsider who found significant problems with that code – especially security problems. A solution to this long-time standoff would be to form a new group whose member companies would be willing to pay anyone for vulnerability information as long as acceptable disclosure policies were maintained by the discoverers – basically like 3Com and iDefense are already doing except with widespread vendor participation.
I do support the need for security researchers to be compensated for their hard work, and it's troubling that many vendors can't bring themselves to pay independent researchers. Nevertheless I don't see how WabiSabiLabi is an effective solution. It'll be interesting to watch over time to see if people continue to neutralize WabiSabiLabi by revealing the nature of the vulnerabilities that it tries to sell.