Public exploit auction a bad idea - Silicon Valley Sleuth

Silicon Valley Sleuth, an insider's view from Silicon Valley
 A blog from V3.co.uk

June 2009
Sun Mon Tue Wed Thu Fri Sat
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30        




Other blogs
Download Junkie
Your daily dose of download discussion

IT Sneak
V3.co.uk's under cover reporter offers odds and ends from the odd end of the technology

Mac Inspector
Drills to the core of the latest Mac rumours and news

Security Watchdog
Sniffing out IT security issues

The Frontline
Insight into the latest tech news from V3.co.uk's team of reporters

V3.co.uk Labs
The latest UK business technology: quick reviews and first impressions




« Beer drinkers unite against terrorism | Main | Microsoft gets GPLv3 fears »

Public exploit auction a bad idea

A Swiss company has launched WSLabi, the first public market place for security exploits.

Labs Researchers can sell or auction off their exploits on the website. The company will certify the flaw and provide a proof of concept, offering buyers the assurance that they are getting the real thing.

The initiative will allow a larger number of vulnerabilities to get disclosed. Chief executive Harman Zampariolo claims that last year as many as 139,362 flaws were discovered, but only 7,000 were publicly disclosed. He fails to explain where he came up with such an exact number.

The site currently offers 4 exploits with prices ranging from 500 to 2,000 Euro.

Paying for exploits isn't new. There are underground market places that continue to be well hidden from everybody, including most security researchers. Then you have bounty programmes from security vendors such as TippingPoint and software developers such as Mozilla.

An open market place has the obvious risk of attracting criminals. WSLabi may verify the identification of its buyers and sellers, but in the world of online fraud, fake identities are easy to come by.

Secondly, the security sector still believes overwhelmingly that researchers shouldn't be paid for exploit information. Instead they are credited, establishing them as capable pundits. Their reputation will then providing them jobs with firms that hope to prevent painful security disclosures.

Thirdly, the public doesn't benefit from this service. A small scale open source project is unlikely to pay up, and big firms such as Microsoft has so far refused to do so on principle. That means that security providers will likely end up with the information, which they can then use to build and independent patch or provide protection in their security software.

Independent patches are a bad idea because typically they are poorly tested. And having to rely on third party security software comes awfully close to paying the mafia for protection.

WSLabi aims to solve a problem of security researchers not getting paid, or not getting paid enough. This is largely a perceived problem, and that it seems to create a slew of new issues.

Exploits

July 5, 2007 10:55 PM |

Comments

Just commenting your article point by point here:

"An open market place has the obvious risk of attracting criminals. WSLabi may verify the identification of its buyers and sellers, but in the world of online fraud, fake identities are easy to come by."

False: the criminals donn't need to come and buy from that marketplace, they already have their own channels.

"Secondly, the security sector still believes overwhelmingly that researchers shouldn't be paid for exploit information. Instead they are credited, establishing them as capable pundits. Their reputation will then providing them jobs with firms that hope to prevent painful security disclosures."

That's the problem: the security sector still want to exploit researcehr's job for free. I think this initiative is just great in that view.

"Thirdly, the public doesn't benefit from this service."

Wrong, just by watching the marketplace and seeing the listed items, the general public gets a much more precise idea of what is going on in the 0day world thus being warned when before they weren't

"A small scale open source project is unlikely to pay up, and big firms such as Microsoft has so far refused to do so on principle. That means that security providers will likely end up with the information, which they can then use to build and independent patch or provide protection in their security software."

Wrong, open source software vulenrabilities might be purchased by security company whom might want to render services to their clients. You are wrong when assuming that the legitimate buyers from that marketplace would be only the software producers.

"Independent patches are a bad idea because typically they are poorly tested. And having to rely on third party security software comes awfully close to paying the mafia for protection."

That's a silly statement, pretty much the same than saying that your car insurance policy is like paying to the mafia.

Posted by: john | July 7, 2007 1:15 AM

Post a comment







Useful links: About | Privacy policy | Terms & conditions | Top of the page
© Incisive Media Ltd. 2009
Incisive Media Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, is a company registered in England and Wales with company registration number 04038503