The security researcher had created the Web site, lined up a handful of vulnerabilities to kick off the auction, and even had leaked the story to SecurityFocus. Riffing off eBay's fame, Hoglund had christened the site ZeroBay. Yet, a day away from launching, the researcher pulled the plug instead.

"I had a frank discussion with my wife, and we decided that the business would have too many potential legal issues," said Hoglund, who now heads up digital forensics firm HBGary. "We didn't want to accept the financial liability for it."

The story serves as a cautionary tale for the creators of the first public vulnerability auction site, the oddly named WabiSabiLabi, which went live last week. The site has garnered wildly varied reactions from researchers and professionals in the security industry -- some approving, others not -- but all agree that the auction site is breaking new ground.

Run by start up firm WSLabi, a Swiss-owned company, WabiSabiLabi launched with four vulnerabilities -- including flaws in Linux, Yahoo Messenger and SquirrelMail -- on the block at prices ranging from €500 to €2,000. The company is manned with relatively unknown members of the security industry, many from Italy. Perhaps the best known member of the team, Roberto Preatoni, is the founder of defacement tracking and security Web site Zone-H.org.

The site is off to a rocky start: The company has already had to pull two of the vulnerabilities for sale. Researchers were able to pore through the SquirrelMail code and find that flaw, while the Linux kernel issue was found to be already public. Preatoni, director for strategy at WSLabi, said such setbacks are expected.

"It will take time to see what (the auction model) will produce, either for bad or for good," Preatoni said. "We are just doing our best to find a viable way to redesign the vulnerability market in favor of the researchers."

Yet whether the auction model is right for the security world is a big question in the minds of many security professionals. A big ethical consideration is whether the auction model will result in vulnerabilities being fixed, or bought for use against unsuspecting targets. Some worry that vulnerabilities will be sold to cybercriminals that will use them for malicious reasons.

"The bottom line is that we know that selling vulnerability information can be dangerous," said Terri Forslof, manager of security response for the Zero Day Initiative, a vulnerability bounty program run by 3Com subsidiary TippingPoint.

WSLabi does not notify the vendor of the vulnerabilities put on the auction block but leaves that decision to the researcher selling the information. The company is not the owner of the information, so the decision to notify a vendor is not its to make, WSLabi's Preatoni said.

"The point is that we are not selling," Preatoni said in an e-mail interview with SecurityFocus. "This is what most people didn't understand in our business model. We just run facilities, offer visibility, and do the marketing communications. The researcher is selling."

That's a deal breaker for others in the security industry. The ethical problems and potential legal issues scuttled any thought of using auctions for the Zero Day Initiative, TippingPoint's Forslof said.

"I'm not personally opposed to an auction," she said. "That was one of the models we talked about ourselves with the Zero-Day Initiative. But we could never find a way to make it work responsibly and make it fit into our corporate value system."

TippingPoint would never consider bidding in the auctions, Forslof said. Microsoft also nixed the idea.

"We do not believe that offering compensation for vulnerability information is the best way we can help protect our customers," the software giant said in a statement sent to SecurityFocus. "Our policy is to credit finders who report vulnerabilities to us in a responsible manner."

While auction models might not help vendors, they do allow researchers to potentially profit more from their discoveries.

In a recent paper, security researcher Charles Miller described his experiences in selling vulnerabilities. One sale could have netted Miller $80,000, but because he could not get the exploit code working for a specific version of Linux, Miller settled for $50,000. The other sale, for $12,000, was scuttled when Microsoft fixed the vulnerability in question.

Auctions level the playing field and allow competition for the information, said Miller, who is a principal security analyst for Independent Security Evaluators. For that reason, he supports WSLabi. "I think it's a great idea, in theory," he said.

Yet, the company has some major hurdles ahead, he added.

Selling information is a tricky game. Give away too much to the seller, and they don't need to buy the information any more. On the other hand, the seller requires some information to place a value on the vulnerability. That's why most people that sell vulnerability information have already established credentials and trust with the buyers.

Miller believes that WSLabi currently lacks the credentials to act as a middleman.

"These are, basically, people that I have never heard of before and I have no reason to trust them," he said. "With TippingPoint and iDefense, you basically don't have to worry about them screwing you over."

HBGary's Hoglund agrees. At the time when ZeroBay was ready to launch, he was a known quantity in the industry and believes he had the clout to get the concept off the ground. WSLabi has a way to go, he said.

"I don't think anyone knows who they are," Hoglund told SecurityFocus. "They don't have any industry credibility and they are incorporated in a country that does not appear to be their home country."

The reasons for the company's Swiss registration are no secret, said WSLabi's Preatoni. The owners are based in Switzerland, so they decided to incorporate in that country. However, the Swiss registration also heads off many of the legal issues that the company might have in the United States or in the European Union, he said.

"Switzerland has far more clear laws (regarding WSLabi's business model), while, generally speaking, the laws in the EU are old laws subject to the personal interpretation of the court (and represents) a huge gray area in terms of legislation, which needs to be sorted out as soon as possible."

In the United States, while the auctioning of information is not illegal, the act could create a great deal of liability for a U.S.-based company, according to Jennifer Granick, executive director of the Center for the Internet and Society at Stanford University's School of Law.

"Distributing the vulnerability to someone who is unknown -- but who is only recommended by their ability to pay the highest price -- and then not telling anyone else, adds liability," Granick said.

While the company does request that people who register to be a buyer or seller provide identification, such a measure could be easily circumvented, she added.

The auction site has shown one definite benefit, however: Publicly selling vulnerabilities stokes interest in finding the flaws first. ISE's Miller joined others in trying to track down the SquirrelMail vulnerability, which was eventually found and even appears to have been previously submitted to iDefense's Vulnerability Contributor Program.

"I don't think anyone would have looked at the code for SquirrelMail," Miller said. "The fact that they had (the flaw) on there, made me look at the code."

While proponents of open-source software frequently argue that public source code means that more people -- or "many eyes' -- will audit the code for vulnerabilities, many open-source projects do not get frequent reviews.

If the auction site takes off, however, security researchers may continue to try and beat buyers to the punch -- and that's a good thing, said HBGary's Hoglund.

"As soon as you post up an auction, everyone in the industry is going to take a look at the (the application)," he said. "And that puts thousands of eyes on that code."