Market for software flaws opens

A new market has opened for the auction of IT security vulnerabilities to the highest bidder. The business has attracted criticism from the IT industry but its backers say it will improve IT security.

WabiSabiLabi.com (WSLabi) is a Swiss company which has established the market for security vulnerabilities. Chief executive Herman Zampariolo says that it will help to encourage research into IT flaws, but the security industry fears that powerful information could fall into the wrong hands.

The market works by having buyers and sellers register with WSLabi. Buyers bid on information discovered by researchers about flaws, or vulnerabilities, in other people's software. Zampariolo says that it is information, and not tools for exploiting it, that is sold.

"We didn't invent the idea that you can trade vulnerabilities. A number of companies are trading them, some of them fully legally, some others are the hidden side of the market in which are happening exchanges which are a bit less legal or ethical," Zampariolo told weekly technology law podcast OUT-LAW Radio.

"The idea is that it is happening in a market place which everyone is free to register and in which everyone has a transparent identity," he said.

The traditional IT security industry has not welcomed the new marketplace. While its researchers say they go first to software companies with news of vulnerabilities, so that a solution to the problem is widely available and the software is safe to use, this market allows a small number of users to gain the security upper hand.

"What is in the public interest is that that vulnerability is provided to the manufacturer of that software so that they can provide a fix to the public en masse," said Greg Day, a security analyst at McAfee.

"When somebody puts a vulnerability on to an auction it's sold off to a private individual or organisation and it's really up to them what they then do with that, do they use that to launch their own attack? Do they maybe try and blackmail the manufacturer? The scope is very broad as to what could be done," said Day.

Zampariolo says that his auction house could improve security by ensuring that the large numbers of amateur security researchers who find vulnerabilities are paid for their work. He says they currently get little more than a t-shirt and $100 from existing security companies.

"It is a rather unbalanced market in which software vendors are making profits in the tunes of billions regularly and researchers are rewarded with a t-shirt or $100 in hand," said Zampariolo. "I think a bit more equilibrium should be set."

Prices on the market have risen in its first month of operation from a few hundred to a few thousand dollars for a typical vulnerability, Zampariolo said.

But Day said that the black market in vulnerabilities offers up to $75,000 for vulnerabilities, and that WSLabi cannot compete with those prices in attracting vulnerability sellers.