, SecurityFocus 2007-07-13
Four years ago, rootkit guru Greg Hoglund found himself a day away from launching an auction site for vulnerabilities.
The security researcher had created the Web site, lined up a handful of vulnerabilities to kick off the auction, and even had leaked the story to SecurityFocus. Riffing off eBay's fame, Hoglund had christened the site ZeroBay. Yet, a day away from launching, the researcher pulled the plug instead.
"I had a frank discussion with my wife, and we decided that the business would have too many potential legal issues," said Hoglund, who now heads up digital forensics firm HBGary. "We didn't want to accept the financial liability for it."
The story serves as a cautionary tale for the creators of the first public vulnerability auction site, the oddly named WabiSabiLabi, which went live last week. The site has garnered wildly varied reactions from researchers and professionals in the security industry -- some approving, others not -- but all agree that the auction site is breaking new ground.
Run by start up firm WSLabi, a Swiss-owned company, WabiSabiLabi launched with four vulnerabilities -- including flaws in Linux, Yahoo Messenger and SquirrelMail -- on the block at prices ranging from €500 to €2,000. The company is manned with relatively unknown members of the security industry, many from Italy. Perhaps the best known member of the team, Roberto Preatoni, is the founder of defacement tracking and security Web site Zone-H.org.
The site is off to a rocky start: The company has already had to pull two of the vulnerabilities for sale. Researchers were able to pore through the SquirrelMail code and find that flaw, while the Linux kernel issue was found to be already public. Preatoni, director for strategy at WSLabi, said such setbacks are expected.
"It will take time to see what (the auction model) will produce, either for bad or for good," Preatoni said. "We are just doing our best to find a viable way to redesign the vulnerability market in favor of the researchers."
Yet whether the auction model is right for the security world is a big question in the minds of many security professionals. A big ethical consideration is whether the auction model will result in vulnerabilities being fixed, or bought for use against unsuspecting targets. Some worry that vulnerabilities will be sold to cybercriminals that will use them for malicious reasons.
"The bottom line is that we know that selling vulnerability information can be dangerous," said Terri Forslof, manager of security response for the Zero Day Initiative, a vulnerability bounty program run by 3Com subsidiary TippingPoint.
WSLabi does not notify the vendor of the vulnerabilities put on the auction block but leaves that decision to the researcher selling the information. The company is not the owner of the information, so the decision to notify a vendor is not its to make, WSLabi's Preatoni said.
"The point is that we are not selling," Preatoni said in an e-mail interview with SecurityFocus. "This is what most people didn't understand in our business model. We just run facilities, offer visibility, and do the marketing communications. The researcher is selling."
That's a deal breaker for others in the security industry. The ethical problems and potential legal issues scuttled any thought of using auctions for the Zero Day Initiative, TippingPoint's Forslof said.
"I'm not personally opposed to an auction," she said. "That was one of the models we talked about ourselves with the Zero-Day Initiative. But we could never find a way to make it work responsibly and make it fit into our corporate value system."
TippingPoint would never consider bidding in the auctions, Forslof said. Microsoft also nixed the idea.
"We do not believe that offering compensation for vulnerability information is the best way we can help protect our customers," the software giant said in a statement sent to SecurityFocus. "Our policy is to credit finders who report vulnerabilities to us in a responsible manner."