Public exploit auction a bad idea - Silicon Valley Sleuth

Silicon Valley Sleuth, an insider's view from Silicon Valley
 A blog from vnunet.com

January 2009
Sun Mon Tue Wed Thu Fri Sat
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31




Other blogs
PCW Inter@ctive
Your views, your comments, your say

Security Watchdog
Sniffing out IT security
issues

The test bed
The hottest products, news and gossip from PCW's
Labs.

IT Sneak
IT Sneak Blog rummages in the dustbin of IT events.

Backbytes
An irreverent and offbeat look at the lighter side of technology

InterActive Home
Your complete guide to home entertainment technology

Taking Stock
Gags and Gossip from Accountancy Age.

Gizmodo
The gadgets weblog.





« Beer drinkers unite against terrorism | Main | Microsoft gets GPLv3 fears »

Public exploit auction a bad idea

A Swiss company has launched WSLabi, the first public market place for security exploits.

Labs Researchers can sell or auction off their exploits on the website. The company will certify the flaw and provide a proof of concept, offering buyers the assurance that they are getting the real thing.

The initiative will allow a larger number of vulnerabilities to get disclosed. Chief executive Harman Zampariolo claims that last year as many as 139,362 flaws were discovered, but only 7,000 were publicly disclosed. He fails to explain where he came up with such an exact number.

The site currently offers 4 exploits with prices ranging from 500 to 2,000 Euro.

Paying for exploits isn't new. There are underground market places that continue to be well hidden from everybody, including most security researchers. Then you have bounty programmes from security vendors such as TippingPoint and software developers such as Mozilla.

An open market place has the obvious risk of attracting criminals. WSLabi may verify the identification of its buyers and sellers, but in the world of online fraud, fake identities are easy to come by.

Secondly, the security sector still believes overwhelmingly that researchers shouldn't be paid for exploit information. Instead they are credited, establishing them as capable pundits. Their reputation will then providing them jobs with firms that hope to prevent painful security disclosures.

Thirdly, the public doesn't benefit from this service. A small scale open source project is unlikely to pay up, and big firms such as Microsoft has so far refused to do so on principle. That means that security providers will likely end up with the information, which they can then use to build and independent patch or provide protection in their security software.

Independent patches are a bad idea because typically they are poorly tested. And having to rely on third party security software comes awfully close to paying the mafia for protection.

WSLabi aims to solve a problem of security researchers not getting paid, or not getting paid enough. This is largely a perceived problem, and that it seems to create a slew of new issues.

Exploits

July 5, 2007 10:55 PM |

Comments

Just commenting your article point by point here:

"An open market place has the obvious risk of attracting criminals. WSLabi may verify the identification of its buyers and sellers, but in the world of online fraud, fake identities are easy to come by."

False: the criminals donn't need to come and buy from that marketplace, they already have their own channels.

"Secondly, the security sector still believes overwhelmingly that researchers shouldn't be paid for exploit information. Instead they are credited, establishing them as capable pundits. Their reputation will then providing them jobs with firms that hope to prevent painful security disclosures."

That's the problem: the security sector still want to exploit researcehr's job for free. I think this initiative is just great in that view.

"Thirdly, the public doesn't benefit from this service."

Wrong, just by watching the marketplace and seeing the listed items, the general public gets a much more precise idea of what is going on in the 0day world thus being warned when before they weren't

"A small scale open source project is unlikely to pay up, and big firms such as Microsoft has so far refused to do so on principle. That means that security providers will likely end up with the information, which they can then use to build and independent patch or provide protection in their security software."

Wrong, open source software vulenrabilities might be purchased by security company whom might want to render services to their clients. You are wrong when assuming that the legitimate buyers from that marketplace would be only the software producers.

"Independent patches are a bad idea because typically they are poorly tested. And having to rely on third party security software comes awfully close to paying the mafia for protection."

That's a silly statement, pretty much the same than saying that your car insurance policy is like paying to the mafia.

Posted by: john | July 7, 2007 1:15 AM

Post a comment







Useful links: About | Privacy policy | Terms & conditions | Top of the page
© Incisive Media Ltd. 2008
Incisive Media Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, is a company registered in the United Kingdom with company registration number 04038503