Security Company Launches Auction Site For Zero-Day Bugs

In there a market for a zero-day vulnerability? There's a new online auction site that's trying to find out.

WSLabi, a Swiss security research lab, has created what it's calling an online marketplace for security research. The company has built a portal where researchers, security vendors and software companies can bid to buy information on security research. As of Friday afternoon, the portal was offering up information on four different unpatched bugs, including a memory leak in a Linux kernel and a remote buffer overflow in Yahoo Messenger. According to WSLabi's online release, they're looking to help researchers get the "correct value for their findings."

The company claims it can help researchers get 20 times more than they receive for bug information now.

"We decided to set up this portal for selling security research because, although there are many researchers out there who discover vulnerabilities, very few of them are able or willing to report it to the right people due to the fear of being exploited," said Herman Zampariolo, CEO of WSLabi, in a written statement. "Recently, it was reported that although researchers had analyzed a little more than 7,000 publicly disclosed vulnerabilities last year, the number of new vulnerabilities found in code could be as high as 139,362 per year. Our intention is that the marketplace facility on WSLabi will enable security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell them to cyber-criminals."

In an effort to minimize risk, WSLabi reported that they will have researchers identify themselves and they don't want security research information submitted if it came from an illegal source or activity. The company did not specify how it will prevent that from happening. It did, though, add that buyers will be vetted to minimize the risk of selling information to the "wrong people."

Johannes Ullrich, chief technology officer with the Internet Storm Center, said the ability to buy a zero-day bug on an auction site and use it any way you want raises security concerns.

While security companies like iDefense and TippingPoint buy information on software bugs and exploits, they make that information available to the affected vendor and then they use it only to protect their users, noted Ullrich in an interview. How will other buyers use the information?

"It's about the intent of what they're going to do with it," he added. "With TippingPoint, you know what they're going to do. How do you screen everyone else for intent?"

Researchers, according to the WSLabi release, can submit their findings to the exchange once they register. WSLabi said it will verify the research by analyzing and replicating it in their independent testing laboratories. After it's verified, they will package the findings with a Proof of Concept, which can be sold three different ways. They can start an auction with a predefined starting price, sell it to as many buyers as possible at a fixed price or sell it to just one buyer.