A group of security professionals launched this week what they hope will become the eBay of security research.
The Swiss-registered company, WSLabi, boasts that its online portal will allow researchers to sell vulnerabilities they have discovered to software companies and other interested parties through an open market. WSLabi plans to verify the identities and claims of both the buyer and seller. Already, four software flaws -- including a Linux memory leak and a flaw in Yahoo! Messenger 8.1 -- are listed on the site and more than 200 people have registered, according to the firm.
The security professionals launched the service to allow researchers to get a fair price for their discoveries and prevent exploits from being sold to cybercriminals, said CEO Herman Zampariolo.
"Different security companies, such as iDefense and TippingPoint, are already acting as intermediaries," Zampariolo told SecurityFocus in an interview on Friday. "The only difference is the business model."
The sale of vulnerabilities has been a contentious topic, which has received legitimacy only in the past two years due to flaw bounty programs such as TippingPoint's Zero-Day Initiative (ZDI) and iDefense's Vulnerability Contributor Program (VCP). While security researchers have seen some large payoffs from selling vulnerability information to government agencies, for the most part, the closed market for security research favors the buyers. TippingPoint and iDefense typically pay anywhere from $1,000 to $15,000 for vulnerability information, such as the recent QuickTime vulnerability used at the CanSecWest Conference to win the Own to Pwn MacBook contest.
The team behind WSLabi includes CTO Giacomo Paoni, a former information-technology consultant, and Strategic Director Roberto Preatoni, better known as the founder of defacement database and security site Zone-h.org.
Posted by: Robert Lemos