While auction models might not help vendors, they do allow researchers to potentially profit more from their discoveries.

In a recent paper, security researcher Charles Miller described his experiences in selling vulnerabilities. One sale could have netted Miller $80,000, but because he could not get the exploit code working for a specific version of Linux, Miller settled for $50,000. The other sale, for $12,000, was scuttled when Microsoft fixed the vulnerability in question.

Auctions level the playing field and allow competition for the information, said Miller, who is a principal security analyst for Independent Security Evaluators. For that reason, he supports WSLabi. "I think it's a great idea, in theory," he said.

Yet, the company has some major hurdles ahead, he added.

Selling information is a tricky game. Give away too much to the seller, and they don't need to buy the information any more. On the other hand, the seller requires some information to place a value on the vulnerability. That's why most people that sell vulnerability information have already established credentials and trust with the buyers.

Miller believes that WSLabi currently lacks the credentials to act as a middleman.

"These are, basically, people that I have never heard of before and I have no reason to trust them," he said. "With TippingPoint and iDefense, you basically don't have to worry about them screwing you over."

HBGary's Hoglund agrees. At the time when ZeroBay was ready to launch, he was a known quantity in the industry and believes he had the clout to get the concept off the ground. WSLabi has a way to go, he said.

"I don't think anyone knows who they are," Hoglund told SecurityFocus. "They don't have any industry credibility and they are incorporated in a country that does not appear to be their home country."

The reasons for the company's Swiss registration are no secret, said WSLabi's Preatoni. The owners are based in Switzerland, so they decided to incorporate in that country. However, the Swiss registration also heads off many of the legal issues that the company might have in the United States or in the European Union, he said.

"Switzerland has far more clear laws (regarding WSLabi's business model), while, generally speaking, the laws in the EU are old laws subject to the personal interpretation of the court (and represents) a huge gray area in terms of legislation, which needs to be sorted out as soon as possible."

In the United States, while the auctioning of information is not illegal, the act could create a great deal of liability for a U.S.-based company, according to Jennifer Granick, executive director of the Center for the Internet and Society at Stanford University's School of Law.

"Distributing the vulnerability to someone who is unknown -- but who is only recommended by their ability to pay the highest price -- and then not telling anyone else, adds liability," Granick said.

While the company does request that people who register to be a buyer or seller provide identification, such a measure could be easily circumvented, she added.

The auction site has shown one definite benefit, however: Publicly selling vulnerabilities stokes interest in finding the flaws first. ISE's Miller joined others in trying to track down the SquirrelMail vulnerability, which was eventually found and even appears to have been previously submitted to iDefense's Vulnerability Contributor Program.

"I don't think anyone would have looked at the code for SquirrelMail," Miller said. "The fact that they had (the flaw) on there, made me look at the code."

While proponents of open-source software frequently argue that public source code means that more people -- or "many eyes' -- will audit the code for vulnerabilities, many open-source projects do not get frequent reviews.

If the auction site takes off, however, security researchers may continue to try and beat buyers to the punch -- and that's a good thing, said HBGary's Hoglund.

"As soon as you post up an auction, everyone in the industry is going to take a look at the (the application)," he said. "And that puts thousands of eyes on that code."