[ISN] Security vuln auction site pulls in research

From: InfoSec News (alerts@private)
Date: Sun Oct 14 2007 - 23:27:15 PDT


http://www.theregister.co.uk/2007/10/12/wslabi_update/

By John Leyden
12th October 2007

A controversial marketplace for security exploits and vulnerabilities 
said it has exceeded expectations with the submission of more than 150 
vulnerabilities in its first two months of operations.

WabiSabiLabi encourages security researchers to sell their findings to 
vetted buyers. Herman Zampariolo, chief exec of WSLabi which runs the 
WabiSabiLabi marketplace, said that the quality of the submitted 
vulnerabilities is as important as their quantity.

Vulnerabilities on the marketplace have had selling prices ranging 
between 100 to 15,000 euros each. So far 1,000 sellers (researchers) 
have registered on the site.

The types of vulnerabilities that have made it on to the marketplace 
include 51 bugs in Windows, 19 flaws in Linux, 29 web application 
vulnerabilities and two Mac-related flaws. Bugs in enterprise apps have 
also made an appearance with 10 flaws in enterprise software from SAP 
and one IBM-related vulnerability. Not all vulnerabilities submitted 
make it onto the marketplace. So far, WabiSabiLabi has rejected 40 for 
reasons including the use of "illegal methodology", such as reverse 
engineering on protected software. Only previously unpublished 
vulnerabilities are eligible for auction by WabiSabiLabi. In addition 
the Swiss firm does not accept vulnerabilities that apply to bespoke 
software.

WSLabi verifies the vulnerability research submitted to it before 
offering it for sale online. The firm advises researchers how best to 
auction their research on its site. Only two-thirds of submitted 
vulnerabilities have successfully passed through its vetting process, 
WSLabi reports.

"The number of vulnerabilities on the marketplace proves that WSLabi is 
providing an alternative legal outlet for vulnerabilities, it is 
diverting research from being used for illegal purposes and generating 
regular and legitimate revenue for researchers," said security 
researcher and defacement archive Zone-h co-founder Roberto Preatoni.

The launch of WSLabi marketplace marks a further evolution in the 
increasing complex market for security research and vulnerability 
information.

Some security firms try to get an edge over their rivals by paying 
independent security researchers for bugs they find, defences against 
which are added to their security products and notification services, 
thereby boosting their appeal. The approach was first widely applied by 
iDefense, but has since been taken up by other firms including Immunity 
and 3Com's TippingPoint division. Payments vary but tend to max out at 
around $10,000. ®



__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com



This archive was generated by hypermail 2.1.3 : Sun Oct 14 2007 - 23:47:03 PDT