Auction of Software Flaws Stirs Concerns

By Brian Krebs Staff Writer
Friday, July 13, 2007

A Swiss Internet start-up is raising the ire of the computer security community with the launch of an online auction house where software vulnerabilities are sold to the highest bidder.

The founders of (pronounced wobby-sobby-lobby) say they hope the new service offers a legitimate alternative for security researchers who might otherwise be tempted to sell their discoveries to criminals. Vulnerabilities that could be sold on the site range from those present in hardware that supports critical information infrastructure, such as Internet routers, to flaws in common desktop applications, such as Web browsers and instant messenger and e-mail programs.

Several vulnerability management companies already purchase information about software flaws from researchers. The terms of those deals are private and generally set by the companies. Allowing all interested parties to bid on security vulnerabilities in an eBay-style auction assures that researchers receive the fair market value for finding the flaws, said Herman Zampariolo, WabiSabiLabi's chief executive.

"Without an open marketplace, it is impossible to know just how much this intellectual property is worth, and while the free market is not the most perfect way to discover that, it's a good proxy," Zampariolo said. "Sure, lots of companies are setting figures for what they think vulnerabilities are worth, but a majority of researchers are getting far less than what their information is worth, and that's scandalous."

Some security experts say they are concerned that the online auction would allow people to sell instructions for breaking into computers and networks directly to the criminals most likely to use them.

"How do you know bidders aren't people with nefarious purposes?" said Teri Forslof, manager of security response for TippingPoint, a division of 3Com that buys vulnerabilities from researchers. "It's really easy to create a shell company that looks good on paper that is set up to be nothing but a front for bad guys."

Zampariolo said the company, which launched the site last week, thoroughly screens all potential sellers and buyers, requiring proof of identification, articles of incorporation and bank account information. For the first six months, the service will be free. After that, the auction house plans to take a 10 percent cut of the final selling price of a vulnerability. Security flaws up for auction not designated by the seller as "exclusive" for the buyer will be shared among a vulnerability alert club to which the company will sell access.

Still, the inability to positively identify customers was the prime reason researcher Greg Hoglund abandoned a similar idea several years ago. He built the online portal, but never conducted the auctions due to liability concerns if vulnerabilities were to wind up in the hands of criminals.

"I basically decided that if the bad guys get their hands on it, that could be a lot of people at risk, and that was a risk I wasn't willing to take," Hoglund said.

TippingPoint and VeriSign's iDefense pass along details of vulnerabilities they buy to the affected software vendors, and withhold public disclosure of the flaws until the vendors ship patches to plug the security holes. WabiSabiLabi's founder said the company does not have plans to notify affected vendors, saying that could ultimately decrease the price buyers are willing to pay for a vulnerability.

Software vulnerability researcher Dino Dai Zovi said he's excited about the vulnerability auction service and its prospects for rewarding researchers with better prices.

"I can see this service creating much more incentives for researchers to find flaws," Dai Zovi said. "Not everyone is willing to spend 20 to 40 hours looking for vulnerabilities in software just to receive a little thank-you note in Microsoft's security advisories."

It is unclear whether any major software vendors would bid on vulnerabilities in their own software. Microsoft has said that under no circumstances would it ever buy vulnerability research. Mozilla, the maker of the Firefox Web browser, offers $500 for each vulnerability privately reported to the company.

WabiSabiLabi already has opened bidding on four software vulnerabilities, which it claims its researchers tested to ensure that prospective buyers will receive what they purchased.

So far, only two have attracted three bids from interested buyers. But Zampariolo says he's received the necessary identifying documents from more than 200 security researchers interested in auctioning their discoveries.

View all comments that have been posted about this article.

© 2007 The Washington Post Company