Bug Brokers: eBay-like Bug Site Doomed

By Lisa Vaas  |  Posted 07-10-2007

Claiming that security researchers are dissatisfied with current remuneration—white-hat chump change or the potential of black-hat broken kneecaps—a Swiss company has launched the first non-black-market auction site for zero-day vulnerabilities.

The eBay-like bug market, called Wabisabilabi, launched July 3. Security researchers and vulnerability brokers like the concept of selling vulnerabilities for fair market price just fine, but they also say the auction site has some serious flaws: lack of transparency (just who, exactly, is running this thing?); lack of ethics in selling vulnerabilities as opposed to just getting vendors to fix their products ASAP and thereby getting users protected ASAP; and lastly, the fact that you can't reveal details about a vulnerability without tipping off researchers on how to find it.

That, in fact, has already happened with one of Wabisabilabi's items, a command-execution PoC (proof of concept) for a vulnerability in Squirrelmail GPG Plugin that researchers believe they nailed after a mere 10 minutes of pondering the code and the flaw description.

Thus far, the auction site's listings page contains four flaws up for bid: a PoC for a local Linux kernel memory leak, not remotely exploitable, with one bid, now going for 600€; the vulnerability in Squirrelmail GPG Plugin, also up to 600€ in spite of having likely been uncovered elsewhere; a remotely exploitable SQL Injection vulnerability in MKPortal for which nobody's bidding; and the pièce de résistance: a PoC for a gleaming, zero-day, Yahoo Messenger 8.1 remote buffer overflow on Windows XP, remotely exploitable by—get this—any user in the victim's address book (although some interaction from the victim is required).

Arbitrary code execution possible but non-trivial.

All for a paltry minimum bid of 2,000€.

Actually, compared with prices reportedly paid by vulnerability brokers or on the black market, 2,000€—that's $2,725.30 in U.S. dollars—is paltry. Open-source software maker The Mozilla Foundation may only reward security researchers with $500 and a T-shirt for a reported flaw, but black-market prices reportedly range into six digits.

H.D. Moore, founder of the Metasploit Project, has been offered between $60,000 and $120,000 by a private buyer for each client-side vulnerability found in Internet Explorer, for example.

Granted, the marketplace is young. It could be that Wabisabilabi hasn't yet vetted many buyers or sellers. Or, as pointed out by Terri Forslof, manager of security response for 3Com's TippingPoint division, vulnerability sellers or buyers may be hesitant to give it a try, as they were when TippingPoint launched its own ZDI (Zero-Day Initiative).

Nobody's bidding at Wabisabilabi, her thinking goes, since they don't see anybody else bidding, and they have no clue how much to bid anyway. TippingPoint's ZDI buys vulnerabilities from researchers, notifies the affected product vendor, and protects its own customers from zero days through its intrusion prevention technology.

And yet the idea behind Wabisabilabi is to get security researchers a fair price for their findings and "ensure that they will no longer be forced to give them away for free or sell them to cyber-criminals," according to the company's launch press release.

"We strongly believe … researchers [who are] … doing their job and researching security … these guys need to be brought into legitimate revenue with legitimate reward for what they're doing," said Herman Zampariolo, CEO of WSLabi, in an interview with eWEEK.

"They're between the [frying] pan and the fire. … We all know there's a fraction of them that are black hat. But an astonishing majority are just looking to make a reward for what they're discovering. Legally, technologically, we've been doing research for how can we reward these people. Think of pharmaceuticals. … You develop your own intellectual property, sell it, there's no problem."

There is nothing new in the idea of buying vulnerabilities; flaw brokers include TippingPoint, iDefense Labs, Immunity and Netragard.

Wabisabilabi's name combines the Japanese word "Wabisabi," made up of the words wabi and sabi that together represent an aesthetic of imperfect, impermanent or incomplete beauty, with the German word for laboratory: Labi.

The new company is notable only for brokering vulnerabilities via an auction format. WSLabi pledges to verify vulnerability research by analyzing and replicating it in its independent labs and to then package it up with a PoC that will be sold on the marketplace via one of three ways: an auction with a predefined starting price; a sale to as many buyers as possible at a fixed price; or an exclusive sale to one buyer.

Read the full story on eWEEK.com: Bug Brokers: eBay-like Bug Site Doomed