Establishing Digital Trust: Don't Sacrifice Security for Convenience
WSLabi opened for business this week. The company said its Web site will offer known and verified vulnerabilities in applications and operating systems and promises to do it an open way, as opposed to the underground sales sites where exploits are sold and traded in the shadows of the Internet.
WSLabi bills itself as a "neutral, vendor-independent Swiss laboratory" that verifies all vulnerabilities submitted to the site in its own labs before allowing them to be auctioned.
It currently has four auctions running, including a Yahoo Messenger exploit and a Linux kernel memory leak. The Linux bid is at 600 Euros with one bidder while the Yahoo bid has no bidders at its starting price of 2000 Euros.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=iHerman Zampariolo, CEO of WSLabi, said in a statement "We decided to set up this portal for selling security research because although there are many researchers out there who discover vulnerabilities very few of them are able or willing to report it to the right people due to the fear of being exploited."
WSLabi estimates that while researchers had analyzed a little more than 7,000 publicly disclosed vulnerabilities last year, the number of new vulnerabilities found in code could be as high as 139,362 per year. It did not say how it arrived at so precise a number.
"Our intention is that the marketplace facility on WSLabi will enable security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell them to cyber-criminals," said the statement.
The reaction among security experts is more along the lines of "Are you kidding me?!!!"
Marc Maiffret, CTO and co-founder of eEye, compared paying for security vulnerabilities to paying ransom for a kidnapping.
"As soon as software vendors start paying for them, the price will go up, and it becomes extortion at that point," he told internetnews.com. "So [the bids] will either get bought by security companies so they have clout but most likely it will be used by bad guys to create spyware or something like that."