'EBay Market' of the security hole wanted to 'bulge'

WabiSabiLabi is worrying public opinion, after officials of the company said they would "set up a trading platform" for all who wanted to sell the zero-day vulnerability they discovered for the high bidder. Best.

Nearly 2 months after the opening date, WabiSabiLabi advertises that they are doing very well, with more than 160,000 regular visitors. The company's plan now is: Expand.

" We are prepared to launch services on the sidelines, " said Chief Strategy Officer Roberto Preatoni. " We will open a series of security and communications services, including a completely new Intrusion Prevention / Detection system, based on a zero-day vulnerability database. WabiSabiLabi will also collaborate. with many other security businesses in the future ".

Problematic approach?

However, the problem is that not all security experts love the approach of WabiSabiLabi.

" I'm not a fan of that idea, " said Enterprise Strategy Group analyst Jon Oltsik. " Researchers often spend time digging holes for liking or for academic purposes. Meanwhile, this model turns that job into a flea market.

Imagine: If medical experts could sell their research in such a blameless way online, this would be a real nightmare for regulatory agencies . Too much space for bad guys to abuse ".

Picture 1 of 'EBay Market' of the security hole wanted to 'bulge' Source: BBC Reaction to this comment, Preatoni says he has a completely different perspective. " WabiSabiLabi does not encourage users to sell holes they discovered.

Instead, we offer a trading platform where security professionals can exchange their findings for a "legitimate prize".

"We do not trade holes on the floor. The winning bidder will receive a detailed, complete report describing the idea gap. It just proves that the gap is real, exists, right? not too useful for illegal purposes ".

Only benefit the seller?

Preatoni proved completely satisfied with the growth of WabiSabiLabi, when he received more than 150 vulnerabilities since the opening until now. Not all gaps are approved "on the floor". There were 40 vulnerabilities rejected because they were discovered by illegal techniques.

Currently, Microsoft Windows is still the "source" that provides the richest vulnerability with 51 holes. These vulnerabilities have been sold for many different prices, the lowest is 100 euros and the highest is 15,000 euros.

All participants, both sellers and buyers, must declare their identity to WabiSabiLabi. They will be provided with a nick when trading to protect their real names. Those who cannot pass this "filter" stage will not be allowed on the floor.

From another angle, David Aitel, Immunity's chief technology officer, said: "WabiSabiLabi just works for the seller."

" A large number of these vulnerabilities have been discovered and posted publicly by others before the auction ends. In the end, the buyer is a loser ."

In addition, pricing a zero-day vulnerability is also problematic. According to Aitel, this work should have been assigned to a third party for inspection, evaluation and validation. However, WabiSabiLabi did not do this.

Trong Cam