In just two months, the IT security vulnerabilities marketplace launched by WabiSabiLabi (WSLabi) that encourages security researchers to sell their findings in an open marketplace to legitimate organisations, big or small, exceeded all expectations with over 150 vulnerabilities submitted.
IT security experts have jumped at the opportunity to sell their research in a safe environment to an eager and ready audience of vetted buyers prepared to pay a fair price to get their hands on the latest IT security vulnerabilities.
The site has had an impressive 160,000 unique visitors to the marketplace.
Visitors to the marketplace include enterprises, government departments and software vendors who are big players in the IT Security sector that are keen to see what vulnerabilities are coming onto the marketplace in order to stay ahead of the game.
Herman Zampariolo, CEO of WSLabi comments "We are very pleased with the astounding success of the marketplace. The number of researchers registering and submitting vulnerabilities as well as security companies and corporations registering to enable them to bid has radically exceeded our expectations. However, it is not just the quantity that shows the success of the marketplace but also the quality with many critical vulnerabilities in enterprise software being submitted. We have been welcomed by the IT community and received great feedback from many influential companies who want to be ahead of the game when it comes to protection from security flaws this has enabled us to establish good business relations with software vendors and their customers."
Zampariolo continues "Our recent recruitment drive, both commercial and technical, has been very popular, with C.V,'s being submitted by experts from every corner of the world." Vulnerabilities on the marketplace have had selling prices ranging between 100 to 15,000 euros each. The types of vulnerabilities that have made it on to the marketplace include:
Vulnerabilities in/ Number of Vulnerabilities
WEB APPLICATIONS : 29
LINUX : 19
WINDOWS : 51
SAP : 10
IBM : 1
MAC : 2
OTHER : 6However, not all vulnerabilities make it onto the marketplace, to date 40 vulnerabilities have been rejected due to them either being obtained through illegal methodology e.g. reverse engineering on protected software or against a specific website.
Research has to be a new previously unpublished zero day vulnerability. WSLabi only accepts vulnerabilities that are not related to software or hardware that has been tailor-made for a specific company, organisation or government department.
All parties, buyers and sellers, have to identify themselves to WSLabi; however, no personal information will ever be disclosed or held in the public domain. Each buyer and seller has a nickname that they trade under to protect their identity.
The personal data along with the full details of the vulnerabilities will not be kept on the website database but is held on a separate highly secure system.
The auction site only contains the nicknames of the sellers along with an overview of the vulnerability. To obtain full details of vulnerabilities the buyer has to purchase the research.
WSLabi currently have more than 1,000 registered sellers (researchers). Before vulnerabilities are eligible to be placed on the marketplace they are subject to a stringent verification process.
WSLabi will verify the research by analyzing and replicating it at their independent testing laboratories. They will then package the findings with a Proof of Concept.
They will also make sure the vulnerability has not already been disclosed in the public domain and is not a result of reverse-engineering; only when it has been verified will the vulnerability appear on the marketplace.
Of the applications WSLabi has received from potential buyers to have access to the marketplace only two thirds have passed the thorough vetting process.
Applications are rejected if the potential buyer has not passed all stages of the vetting process, this could include not supplying the adequate documentation, not providing suitable proof of ID or not belonging to a bone-fide organisation. Once registered and vetted, buyers can bid, buy exclusively or 'buy it now' depending on the purchase options the researcher has made.
WSLabi also helps researchers to design the best business model (e.g. selling schemes, starting selling price etc.) which enable them to maximize the value of their findings. The research can be sold to the marketplace via three methods from the marketplace:
- Starting an auction, predefined starting price
- Selling to as many buyers as possible at a fixed price
- Selling it exclusively to one buyer
Researchers can also benefit from the Vulnerability Sharing Club (VSC); this provides a program that enables researchers who have sold vulnerabilities through the exchange to gain extra royalty revenue.
Security research sold through the marketplace without the 'Buy Exclusive' option, which hasn't been made public, patched and is less than a year old will automatically be submitted into the VSC program.
Every three months a share of the total revenue generated by VSC program sales will be distributed among the researchers in proportion to their contribution, enabling researchers to maximise their income.
Roberto Preatoni comments "The number of vulnerabilities on the marketplace proves that WSLabi is providing an alternative legal outlet for vulnerabilities, it is diverting research from being used for illegal purposes and generating regular and legitimate revenue for researchers not only by selling their vulnerabilities via the marketplace but also through the VSC program. The VSC program will ensure that researchers receive additional revenue and are rewarded for their research on an ongoing basis."