Security Industry Not Sold on Vulnerability Auctions

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Whether security forces like it or not, there are a lot of ways that information about vulnerabilities get disseminated through the Internet. One company has even started auctioning information to the highest bidder.


Bad idea, according to this InformationWeek story, which reports on an online poll conducted at the recent Black Hat USA 2007 conference in Las Vegas. Eighty percent of respondents said that using such sites is dangerous. While the idea is accepted that researchers deserve to be paid for their work, selling to the highest bidder is frowned upon for a number of reasons.


The survey no doubt was inspired by Swiss startup WabiSabiLabi.com (pronounced "wobby-sobby-lobby," according to News.com, and known most often as WSLabi). The company raised eyebrows -- and the ire -- of many security executives by launching an online vulnerability auction site last month. The stated purpose of the widely reported move was to earn fair compensation for researchers while helping protect those using insecure software.


The inescapable reality is, of course, that criminals are just as able to bid on code as legitimate IT folks. The release from WabiSabiLabi devotes part of an unconvincing paragraph to security. ("Both researchers and buyers will have to identify themselves to WSLabi to ensure they are legitimate." OK, we're glad that's settled.)


It's not hard to guess that the idea is being slammed by bloggers. This posting at the Computer Security Institute first criticizes the auction site for seeming to be more interested in making money than improving security and appearing to suggest that researchers tend to sell exploits to criminals. More importantly, the blogger roundly criticizes the sketchiness of the information in the release about security.


The site may not even work, according to blogger Matasano Chargen. Hackers -- both good and bad -- are smart folks who love a challenge. Chargen's take is that simply describing the vulnerability well enough to entice people to bid on it will enable enterprising security experts to find the vulnerability themselves.


This CIO Insight piece says that the brokers and security researchers are not averse to seeing successful researchers profit from their work. It says that other companies -- it names Tipping Point, iDefense Labs, Immunity and Netragard -- act as "flaw brokers." It raises no objection to that, but sites the same issues about the auction site as the bloggers and respondents to the Symantec survey.


In our view, the auction site doesn't seem like a good idea. While it is clear that a researcher who finds a flaw should profit -- just as a medical researcher does for finding the information about a disease -- there seem to be too many flaws in this model.