News >> In The Know

Vulnerability auction a hit

Thursday, 22 May 2008 00:00 Written by By Candice Jones and Ilva Pieterse

Vulnerability researchers sell their wares online DESPITE MIXED REACTIONS from the and software industry, the WabiSabiLabi software vulnerability auction site is doing well.

Site strategic director Roberto Preatoni told the ITWeb Security Summit that since its inception in July last year, the site had amassed 1 500 subscribers. Security researchers had submitted more than 230 software vulnerabilities. "Software is sold vulnerable and these vulnerabilities have a value, so why not create an open marketplace in which to sell them?" asked Preatoni.

Software was sold with stringent licence agreements that no other industry would dare attach to a product or service, he noted. "Software is sold with no reverse engineering capabilities and the vendor is so protected by law. How do we know what is concealed in there?"

He used the motor industry as an example, saying if cars were discovered to be defective they were returned to the manufacturer who took on the liability of those faults. "It should be the same in the IT industry, because lives are also connected to well-functioning software."

This is one aspect of why Wabi-SabiLabi was created. Another reason was to balance the security marketplace and provide security researchers with possible revenue from the service they provided.

Preatoni believes security researchers are seen negatively as long-haired, malicious, underground hackers. However, he said they had been painted with the wrong brush and were providing a valuable service to security and software vendors, as well as the public. "They are securing your machines."

The industry did not provide an adequate environment for researchers to create revenue from the work they provided. He said WabiSabiLabi provided a platform where security researchers could not only sell their discovered vulnerabilities, but they could choose to do so either to the highest bidder, or through mass selling. Initially, Preatoni wanted to give vendors first option to purchase the vulnerability from the auction; however, several legal advisors explained that it was considered blackmail.

Vendors, for the most part, were angry at the concept of a vulnerability marketplace. Others - such as - had been open-minded about the site and even given positive feedback.

Preatoni listed the top 10 "hit parade", of companies that most often checked the WabiSabiLabi Web site. They are, from least to highest activity: , VeriSign, Oracle, the US Army, F-Secure, Symantec, Veritas, , Microsoft, and taking the lead.

To see Preatoni`s take on the summit, go to http://blog.wslabi.com/2008/05/are-south-africans-aliens-from-another.html

Tags: Security  Summit