Auctioning Vulnerabilities and Making an Honest Buck in Security Research
Security researchers can spend a lot of time chasing down vulnerabilities and turn them over to vendors for free (or maybe several hundred dollars and a t-shirt if they are lucky) or they could sell them to the highest bidder. Selling vulnerabilities on the black market has been around for a while, now Wabisabilabi is trying to create a legitimate market for vulnerabilities. It isn't going too well.
From Bug Brokers: eBay-like Bug Site Doomed:
The eBay-like bug market, called Wabisabilabi, launched July 3. Security researchers and vulnerability brokers like the concept of selling vulnerabilities for fair market price just fine, but they also say the auction site has some serious flaws: lack of transparency (just who, exactly, is running this thing?); lack of ethics in selling vulnerabilities as opposed to just getting vendors to fix their products ASAP and thereby getting users protected ASAP; and lastly, the fact that you can't reveal details about a vulnerability without tipping off researchers on how to find it.
The rules governing cybercrime markets seem to be different from those of legal markets. For starters, botnet herders probably have enough data to be able to estimate how many PCs they can compromise with a particular class of vulnerability which in turn dictates how much they can make pumping spam and phishing lures. How does someone who buys a vulnerability to plug it recover the cost of that purchase? Vendors don't charge more for patched software. There is the soft cost of having your brand name associated with buggy software but that hasn't seemed to big name vendors like Microsoft and Oracle.
I'm not sure what has to change for a white-hat vulnerability market to work but we have some fundamental problems with the idea right now. What do you think needs to change?
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
